How to talk security so people will listen (and comply!)
For instance, USB devices were needed by many business units to transfer data, but the IT organization knew that USB devices can be a major contributor to data loss if not managed properly. So the Endurance IT team said "yes, but..." by distributing the devices but also instituting and explaining a policy to ensure they had password protection and encryption.
"When the business sees you working with them in a collaborative fashion, then you can move the dial forward" in terms of a shared corporate response to security, says Terry.
Promote security from the top down
Security initiatives should be mandated and supported at the top levels of the organization. At Endurance, information security is a board-level agenda item and a strategic business objective, says Terry. "Being able to work with your executive team and senior management to help share the communication message makes it much easier rather than being an IT-centric responsibility."
Royal Philips recognized the need for top-down security communications when it created a corporate level organization called Information Security and named Mankovich its first chief information security officer in January 2012. The group "is focused on a simple pitch, which is the adequate protection of information that affects the business of Philips," Mankovich says. "That could mean my laptop, my notebook, even information that's in my head. And it's everybody's responsibility."
Share your company's hack history
Although controversial, sharing -- in confidence, of course -- the number and nature of attempted hacks on your own company's systems, or incidents within business units, can be a strong motivator toward security compliance, Peeler says. "People don't really understand how often a company's own systems are under attack," she points out.
Harkins agrees. "[Security leaders] have got to show logic, show data, and relate it to the business goals and, if not addressed, what impact it can have toward achieving those goals," he says. "The more your predictions start to come true, [the more] you're demonstrating you know what you're doing and you're not trying to impede the business, you're trying to help the business."
Intel has found ways to put breach data to good use without sharing too much confidential information. For instance: "We had an employee who stole intellectual property from us a few years ago and was convicted earlier this year. We posted to all employees the story of what happened, how we found out, and reminded everyone of the expectations we have of them," Harkins relates.
Intel also posts its lost or stolen laptop rates and reminds people how to take care of equipment. It will also share general investigation or incident details, including mistakes made by employees, such as posting information to a social site, and describe the risk that created for the company, Harkins says. "But we don't share who did it or other details that would embarrass or create issues for the employee," he clarifies.
Others have mixed feelings. Mankovich says the transparency approach "bears consideration," but he worries that any shared information could too easily jump the fence to the outside world. "My first reaction is that, with 124,000 employees in 60 countries, we couldn't avoid it going public," Mankovich says. "Knowing that, we must consider the downside of providing the bad guys with attack intelligence. That in itself might increase risk."
Security: Endlessly exciting
Ultimately, convincing employees to remain vigilant is a job shared between IT and the business. "We really have to understand how the workforce is changing, how are we changing the workforce, and how the expectations of people who use our products or partner with us are changing," Mankovich sums up. "The job is endless, but it's exciting."
Read more about Security in Computerworld's Security Topic Center.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!