Data breaches are becoming commonplace for businesses around the globe. Yet few companies possess the skills, tools and technologies necessary to identify data breaches before they escalate – despite the fact that a data breach can cause long-lasting problems for a business, its customers and its employees.
David Levine, Vice President of Information Security and Chief Information Security Officer at Ricoh USA, shared his thoughts on the challenges and complexities associated with building a security-first culture during his keynote presentation to Argyle’s CISO membership at the 2018 Information Security Officer Leadership Forum in Atlanta on April 5. In his presentation, “Building a Security-Driven Culture,” Levine offered recommendations to help information security professionals foster a security-focused culture within their respective organizations.
Today’s companies must devote extensive time and resources to create security-driven cultures, regardless of a business’ size or industry. As new technologies become available, cybercriminals likely will use advanced cyberattack methods to target businesses. Meanwhile, companies that fail to integrate security into all aspects of their day-to-day operations risk costly, time-intensive data breaches.
“We used to talk about the ‘big breach,’ and now, you can’t keep track of all of the [data breaches],” Levine stated. “Now, it’s vulnerability whack-a-mole. There are all new kinds of vulnerability, and each vulnerability has all kinds of implications.”
Although data breaches may wreak havoc on businesses, some companies fail to plan for the potential ramifications of these security incidents. In these instances, businesses ignore the consequences of data breaches.
“Data breaches are happening so frequently now, and I believe business management may be getting numb to them at times,” Levine said. “We’ve seen some really large corporations suffer some really nasty problems, but [these businesses] are still here. And in many cases, these businesses are doing great.”
A company that takes the aforementioned approach to security, however, risks suffering a data breach that results in brand reputation damage, revenue losses and other problems. Perhaps even worse, this business may put sensitive customer and employee data in jeopardy.
Information security professionals must be able to provide C-suite executives and other business leaders with timely, relevant security insights. If business leaders understand the importance of security preparedness, they may be more likely than ever before to buy into the development of a security-centric culture. “If you’re constantly going to management … you could create a situation like the boy who cried wolf,” Levine indicated. “That doesn’t help build trust or build a culture.”
Ultimately, information security professionals must show business leaders why it is essential to devote time and resources to develop effective security measures. To accomplish this goal, information security professionals can highlight the potential costs of a data breach, as well as the potential savings provided by implementing various security technologies.
Information security professionals also can teach business leaders about different security topics. By educating business leaders about security, information security professionals may be able to show these leaders why they need to prioritize security investments.
“If a company is really hyper-focused on an objective, a top-down endorsement in security may not be as strong as you’d like,” Levine pointed out. “And if you don’t have that top-down endorsement, you’re going to have some challenges when you push for a [security-driven culture].”
To obtain buy-in across a business, information security professionals must be able to explain the importance of security measures for all employees, at all levels. If information security professionals offer practical security tips and best practices that individuals can use both at work and at home, they could take the first step to foster a security-centric culture.
But this rarely happens overnight. Instead, information security professionals must be persistent, provide employees and business leaders with security tools and resources and foster a culture built on trust and education. “Building a culture [around security] is about trust and education and being realistic,” Levine noted.
It may take many weeks or months to build a security-driven culture, and information security professionals must continue to keep employees and business leaders up to date about new security dangers. With a diligent approach to culture, information security professionals can make security a part of an integral part of a business’ day-to-day efforts.
“Building a security-driven culture can be a challenging endeavor,” Levine stated. “The good news is there are approaches we can take to drive awareness and understanding, and ultimately, an environment that incorporates security into our [company’s] DNA.”