By Marilia Wyatt, CyberPrivacy
Building a security culture across an enterprise should be a business priority to reduce cyberrisk.
Cybercrime continues to rack up hundreds of billions of dollars annually and attacks on smaller companies can cripple their operation to non-existence. Data privacy violations and fraud continue to plague consumers after breaches.
Chief executive Chris Young at internet security company McAfee has some advice on building this security-first culture. He urged decisions makers to embed security into company vision and values – one that employees can get behind, celebrate, and truly live up to.
The goal of this culture is to change employee behavior and rally people to care a lot about security and consider how their actions impact it, Mr. Yong explained. It’s about living and breathing security, and making that visible in the organization.
“Then you must get employees onboard, as well as others outside your organization who will have an impact on your culture. Keep in mind your own employees can be your best defense or your biggest vulnerability when it comes to cyber threats,” he said.
Creating a security business culture is not merely a training session to check off compliance. It requires ongoing effort, said Rob Sloan, cybersecurity research director, WSJ Pro:
“Organizations must recognize that building a security culture is a long-term commitment and requires ongoing work to reflect both the changing threats and the fact that for most employees in most companies, security is not necessarily a priority. Motivations such as driving revenues, achieving targets and simply trying to get a job done often conflict with operating securely,” he said.
Mr. Young described how McAfee adapted its initial mission to focus on cyber. “We adapted some of the language to make it bolder and to make the intention crystal clear for anyone saying the words. The Pledge symbolizes this commitment, this purpose, for our employees,” he said. It reads:
We dedicate ourselves to keeping the world safe from cyber threats.
Threats that are no longer limited to the confines of our computers,
but are prevalent in every aspect of our connected world. We will not rest
in our quest to protect the safety of our families, our communities,
and our nations.
All employees sign the pledge and new employees sign it as part of the onboarding process. But, in contrast to signing a corporate IT Acceptable Use Policy, the Pledge is visible.
“We literally have Pledge on walls around our offices,” Mr. Young noted. “The Pledge is also on notebooks and badge cards because we want to remind employees that with every step they take comes huge responsibility. We remind our employees that they could be the difference in thwarting a cyber-attack whether for a customer or partner, or for McAfee.”
Decision makers should focus on creating a security culture, this will require embedding Cybersecurity into company vision and values to funnel through all aspects of the business. Improving cybersecurity decisions is not only a tech problem, but it’s also a human problem as often the weakest vulnerability.