How to talk security so people will listen (and comply!)
For instance, USB devices were needed by many business units to transfer data, but the IT organization knew that USB devices can be a major contributor to data loss if not managed properly. So the Endurance IT team said "yes, but..." by distributing the devices but also instituting and explaining a policy to ensure they had password protection and encryption.
"When the business sees you working with them in a collaborative fashion, then you can move the dial forward" in terms of a shared corporate response to security, says Terry.
Promote security from the top down
Security initiatives should be mandated and supported at the top levels of the organization. At Endurance, information security is a board-level agenda item and a strategic business objective, says Terry. "Being able to work with your executive team and senior management to help share the communication message makes it much easier rather than being an IT-centric responsibility."
Royal Philips recognized the need for top-down security communications when it created a corporate level organization called Information Security and named Mankovich its first chief information security officer in January 2012. The group "is focused on a simple pitch, which is the adequate protection of information that affects the business of Philips," Mankovich says. "That could mean my laptop, my notebook, even information that's in my head. And it's everybody's responsibility."
Share your company's hack history
Although controversial, sharing -- in confidence, of course -- the number and nature of attempted hacks on your own company's systems, or incidents within business units, can be a strong motivator toward security compliance, Peeler says. "People don't really understand how often a company's own systems are under attack," she points out.
Harkins agrees. "[Security leaders] have got to show logic, show data, and relate it to the business goals and, if not addressed, what impact it can have toward achieving those goals," he says. "The more your predictions start to come true, [the more] you're demonstrating you know what you're doing and you're not trying to impede the business, you're trying to help the business."
Intel has found ways to put breach data to good use without sharing too much confidential information. For instance: "We had an employee who stole intellectual property from us a few years ago and was convicted earlier this year. We posted to all employees the story of what happened, how we found out, and reminded everyone of the expectations we have of them," Harkins relates.
Intel also posts its lost or stolen laptop rates and reminds people how to take care of equipment. It will also share general investigation or incident details, including mistakes made by employees, such as posting information to a social site, and describe the risk that created for the company, Harkins says. "But we don't share who did it or other details that would embarrass or create issues for the employee," he clarifies.
Others have mixed feelings. Mankovich says the transparency approach "bears consideration," but he worries that any shared information could too easily jump the fence to the outside world. "My first reaction is that, with 124,000 employees in 60 countries, we couldn't avoid it going public," Mankovich says. "Knowing that, we must consider the downside of providing the bad guys with attack intelligence. That in itself might increase risk."
Security: Endlessly exciting
Ultimately, convincing employees to remain vigilant is a job shared between IT and the business. "We really have to understand how the workforce is changing, how are we changing the workforce, and how the expectations of people who use our products or partner with us are changing," Mankovich sums up. "The job is endless, but it's exciting."
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!