As a security consultant, the very first responsibility that I take on with a client is to ensure that members of the leadership team understand their role in security. Something that is not at all uncommon is for folks to have made mental check marks by the topic of security because there are some security tools or even a security team in place. The thought that comes along is that, “Oh, we’ve got security covered, so we (leadership) don’t need to think about security anymore.” To the point that security is about managing risk, this is nothing close to the truth. Leadership has an ongoing and persistent level of responsibility to help establish and maintain an appropriate security culture within their organization.
The next level that I try to go with clients is to help them understand that all of their employees play a role in the management of security risk. A parallel that I like to use to help with this concept is Environmental Safety and Health. Leadership cannot be in all places at all times to remind each and every employee to think and act safely. The use of a box cutter is but one of an endless list of examples that could be cited. When an employee goes to open a box, that employee is responsible for their own safety. Using a box cutter safely should result in the box being cut and not the employee. So it goes with the management of security risk.
As is true with Safety, leadership cannot stand by to remind employees to think about security on a day-by-day or event-by-event basis. Whether the responsibility is to simply complete prescribed security awareness training and education assignments or to develop a deeper understanding of business processes where security risk exists, each employee needs to be developed to understand the role they play in helping to manage security risk.
Folks throughout an organization need to hear their leadership talking about security, talking about the priority that is being placed on security at the enterprise level and how each person plays a part in managing security risk. A good description of the benefits of security risk management and the relationship that exists between security risk management and business success is good for people to hear, as well. This will help begin the process of developing a culture of security and the greater sense of individual responsibility for protecting company assets that accompany such a culture.
We can no longer think about security as the “things” (guards, cameras, anti-malware software, firewalls, etc.) that have formed our perceptions of what security is. Rather, we must adopt a new perception of security and work intentionally to build Security Culture into each respective environment.