We’ve underscored the importance that “everyone is in security,” but we must be careful not to  assume they understand everything we are saying. Remember, most individuals we interact with are not security professionals. So, how can we develop a security culture and help them understand basic security principles? First, we lead through effective communication. Consider the following areas:

Keep it Simple

SSO, DDoS, Ransomware, Phishing, etc. are all common knowledge terms; but common only to professionals.  Even if our audience has heard the term, they likely don’t know the full meaning and detail behind it.  It’s our job to educate -- keep it simple. Use illustrations and analogies that your audience is familiar with to help them understand.  Don’t underestimate the power of stories -- Real life examples spark interest and make boring material memorable. So, get out of the policy reading and regulatory fear.  Know your audience, reach your audience!

Focus on Team

Because security is a team sport, we are only as strong as our weakest link.  Everyone in the company needs to put up a solid defense to keep themselves, their coworkers, and the organization safe and secure. Having regular and interesting awareness campaigns establishes a “same boat” conversation and promotes the idea that everyone has a role on the team.  Be sure to take advantage of large change events, such as new technology rollouts, reorganization, etc.  These “all hands” moments, when properly integrated, and help promote “team” over change.

Can Do

Be positive: avoid fear and can’t.  Everything, especially over the past year, has been about what we can’t do – restrictions.  Position and present to the positive side. True, warnings are integral to security, but let’s motivate and promote efforts to protect versus setting a stage of frustration.  Know that everyone today is easily overwhelmed -- let’s not add to their plate, let’s ask for their help.

Lead the Team

Use the technology, access methods, privileges, and tools that you are asking to be used.  Experience the experience – know what “the real world” is like.  Be familiar with your organization, department functions, and a wide field individuals throughout the organization. Know what’s working and what’s frustrating. These efforts reinforce that we are bringing the same level of commitment to the team that we are asking for.

Consider the C-suite litmus test: are there special allowances or functional differences in C-suite compared to the typical user?   If so, you must examine the why:  Does it not work that well? Is the experience frustrating? Are we trading risk for convenience that would otherwise be unacceptable?  The C-suite is the leadership of the entire team, they should be well aligned and honestly able to promote security.  If we are afraid of the C-suite when implementing a process, tool, control, or method, likely the ask, the education, the communication, and/or the solution is just not good enough! So why are we asking anyone else to do it?

OCTELLIENT - Our mission: simplify information security. With a Business First approach, we want to help you and your organization get to your core priorities and make the most of your infosec investments.  Our goal is to be your side-by-side partner, working together to navigate a tailored infosec strategy and bring expert advice to your toughest challenges.

Ask us about Propulsion, Deepwater, and the 8-point Dossier

info@octellient.com

www.octellient.com