CIOs: Inspire a Company-Wide Culture of Security Awareness
The buck might stop at the CEO’s desk, but security responsibilities begin and end with the CIO. Many CIOs shoulder the burden of protecting an enterprise’s digital assets, even though just about every employee uses the technology. While CIOs can’t monitor every button click, they can earn their salaries by convincing all those employees to embrace a security-first philosophy.
By establishing a high standard of behavior and talking openly about cybersecurity in the enterprise, a CIO can successfully encourage security awareness and understanding across all departments. Best practices will then become unflinching habits for employees, who will think twice about using simple passwords or downloading unknown files. A paradigm shift is never simple, but when overall security awareness increases, risk management transforms into a shared, company-wide responsibility.
Security Awareness Starts With Company Culture
As the number and complexity of breaches increase annually, companies can’t rely on the same old practices. The high threat of cybersecurity breaches will continue this year after both large and small companies in almost every industry experienced breaches in 2016.
New security technology alone won’t provide the necessary vigilance. It takes technology, processes and people to properly defend assets. Those three areas will seamlessly merge when supported by a culture that stresses action-by-action, day-to-day security, and that’s where a CIO can make a difference.
A CIO needs to constantly remind — and sometimes proselytize — everyone in the enterprise that they have a role to play in security. A CIO must become both a trusted resource and a forgiving friend. This requires the smarts to explain why security steps are being enacted and the patience not to scold employees who inadvertently break security protocols. Respect and trust will prompt employees to buy into cybersecurity education strategies.
Consider what happens when CIOs and IT aren’t communicating with the rank and file. A 2016 Ponemon Institute survey found that a majority of IT managers didn’t have visibility into their employees’ password practices; 55 percent of those companies suffered a cyberattack, according to CIO Dive.
Every Employee Can Follow Security Practices
Even best security practices won’t take hold if employees don’t understand and accept the strategy behind them. Employees will understand cybersecurity better if they learn about it through their everyday business practices rather than through irregular, compulsory training sessions that are quickly forgotten. Amazingly, 45 percent of U.S. workers receive no cybersecurity training at all, Fortune reports.
A CIO can highlight security tricks and tips at informal lunch sessions or through clever, succinct emails — these together should help employees better understand preventative measures such as creating strong passwords and not clicking on suspicious links.
CIOs should also walk through why certain security practices are being implemented, instead of enacting them in silence. An unexplained ban on the emailing of March Madness brackets may look draconian, but explaining that the move is a defense against a phishing scam that takes advantage of the popular tournament will help employees see they’re playing a critical role in security.
It’s always worthwhile incentivizing the use of strong security practices. Consider a reward system for employees who report suspicious activity, even if it turns out to be a false alarm, or start a competition to see who can complete all the items on a company security checklist the fastest. Rewards and gamification motivate people.
Partnering with other departments will quickly foster buy-in. This is the year CMOs could spend more money on IT than CIOs (a prediction Gartner made several years ago). With fewer obligations to legacy systems and software, CIOs have time to work closely with CMOs and other department heads to ensure business functions run without a hitch and cybersecurity risks are minimized.
Every Day Is an Education in Security
Enterprises need to remain focused and vigilant to combat familiar and unfamiliar cyberthreats, including cyberextortion, payment fraud and CEO fraud.
Strength comes in numbers. If a company wants to thwart cyber risk, it must promote a culture of strong security by properly educating and motivating every employee. That lesson starts with the CIO.