How your approach to corporate culture can keep your information secure

It’s often said, ‘people are the weakest link in cybersecurity’. I get that and I agree that we must seek to minimize human-related threat vectors. But I believe that if we view our people, our teammates, as our greatest security asset, then we start from a position of strength.

I focus on two things when creating a secure organization that works effectively both in-office and from home: technology and culture. Both are important, both require resources. For many organizations, COVID-19 rendered void two key resources; a secure office network and time. Understandably this applied extraordinary pressure on IT and infosec teams; creating new priorities and pressurizing any in-flight initiatives, security, or otherwise.

The technical controls that keep information confidential, trustworthy and available aren’t the focus on this discussion. Briefly speaking though, we find that zero (technical) trust, least privilege and assume-breach are useful principles upon which to base our technical decisions.

They say the bad guys need only get it right once; but the good guys? They’ve got to get it right every time. What better way to maximize your chances of getting it right than by fostering a culture where everyone feels they’re an active part of the company’s infosec efforts? Here are three simple steps that can help:

1. Communication: Regular company-wide messages from senior infosec leadership can demystify infosec and communicate that we’re in this together. Key information to share: topical infosec news, advice on staying safe and how infosec measures are always a balance between friction and control. Don’t restrict information to work-only. Don’t forget to share personal infosec tips too. Demonstrate that the need for security doesn’t end at five o’clock, and neither does your friendly infosec team and their desire to help.
2. Encourage participation: When it comes to infosec, there really is a them and an us: There really are people trying to do bad things with our information, so communicating that we’re all active members of the infosec team is helpful. Encouraging everyone to play their part and reach out; to ask questions, share their concerns and what they’ve seen significantly increases the number of eyes on the lookout and bolsters the perimeter with active, rather than passive participants.
3. Responsiveness: When people engage, then welcome it, act on it, and follow up. Even if the intel proves to be irrelevant, be grateful that someone took the time to reach out and tell them so. Over time, word gets around that infosec team isn’t just words of encouragement, but fellow teammates who, like anyone else, benefit from some help.

This simple communications approach spurs cultural change; it changes perceptions, and perception influences behavior. When message and action are applied consistently and across the business, then it becomes ‘normal’ for each individual to take part in everyday information security, regardless of the day job.

My company’s infosec team has about 1,600 people in it. How about yours?