How to talk security so people will listen (and comply!)
For instance, USB devices were needed by many business units to transfer data, but the IT organization knew that USB devices can be a major contributor to data loss if not managed properly. So the Endurance IT team said "yes, but..." by distributing the devices but also instituting and explaining a policy to ensure they had password protection and encryption.
"When the business sees you working with them in a collaborative fashion, then you can move the dial forward" in terms of a shared corporate response to security, says Terry.
Promote security from the top down
Security initiatives should be mandated and supported at the top levels of the organization. At Endurance, information security is a board-level agenda item and a strategic business objective, says Terry. "Being able to work with your executive team and senior management to help share the communication message makes it much easier rather than being an IT-centric responsibility."
Royal Philips recognized the need for top-down security communications when it created a corporate level organization called Information Security and named Mankovich its first chief information security officer in January 2012. The group "is focused on a simple pitch, which is the adequate protection of information that affects the business of Philips," Mankovich says. "That could mean my laptop, my notebook, even information that's in my head. And it's everybody's responsibility."
Share your company's hack history
Although controversial, sharing -- in confidence, of course -- the number and nature of attempted hacks on your own company's systems, or incidents within business units, can be a strong motivator toward security compliance, Peeler says. "People don't really understand how often a company's own systems are under attack," she points out.
Harkins agrees. "[Security leaders] have got to show logic, show data, and relate it to the business goals and, if not addressed, what impact it can have toward achieving those goals," he says. "The more your predictions start to come true, [the more] you're demonstrating you know what you're doing and you're not trying to impede the business, you're trying to help the business."
Intel has found ways to put breach data to good use without sharing too much confidential information. For instance: "We had an employee who stole intellectual property from us a few years ago and was convicted earlier this year. We posted to all employees the story of what happened, how we found out, and reminded everyone of the expectations we have of them," Harkins relates.
Intel also posts its lost or stolen laptop rates and reminds people how to take care of equipment. It will also share general investigation or incident details, including mistakes made by employees, such as posting information to a social site, and describe the risk that created for the company, Harkins says. "But we don't share who did it or other details that would embarrass or create issues for the employee," he clarifies.
Others have mixed feelings. Mankovich says the transparency approach "bears consideration," but he worries that any shared information could too easily jump the fence to the outside world. "My first reaction is that, with 124,000 employees in 60 countries, we couldn't avoid it going public," Mankovich says. "Knowing that, we must consider the downside of providing the bad guys with attack intelligence. That in itself might increase risk."
Security: Endlessly exciting
Ultimately, convincing employees to remain vigilant is a job shared between IT and the business. "We really have to understand how the workforce is changing, how are we changing the workforce, and how the expectations of people who use our products or partner with us are changing," Mankovich sums up. "The job is endless, but it's exciting."
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts