Who owns cyber security for the organization? This is a question suited for both organizations that are standing up their first security program as well as for existing security leaders seeking further maturity in an existing program.
Cyber Security Hub hosted a webinar with Code42 to explore how cyber security can become an integral part of enterprise behavior and culture. Cyber security is still viewed as an IT issue that often means InfoSec gets bolted on rather than bolted in to the company’s operations and culture. The typical owners of enterprise cyber security are IT or security.
This “bolted on” behavior has left security teams sometimes feeling like they are alone in a silo. Isolation can lead to struggles working with other departments and conveying the need for collaboration on security messages. However, the security team does not have to be the only ones spreading awareness and best practices for cyber hygiene. Security has touchpoints with every part of the organization including Legal, Risk, HR, Operations and more.
See Related: Sharing Stakeholder Knowledge Between Enterprise Cyber And HR Executives
Identifying Enterprise Secure Champions
This presents an opportunity to identify key stakeholders across the organization to help make security everyone’s responsibility. Some of these potential “champions” will be obvious from their leadership role. Others may be part of the workforce that are merely intrigued by the work that the cyber security team does, and want to offer assistance.
When considering the organizational pillars of people, process, information and technology, the activities and scope of modern enterprise security are so much more than the technologies. While cyber practitioners need to have an intimate understanding of software and systems, too many security teams focus on purchasing tools without a process or partnership in place. Deployment and support must be effective and enabling the organization’s business objectives.
This realization leads to less focus on technology and more on people and process. For example, an increase in collaboration leads to improved diversity of ideas and ultimately a more informed set of outcomes that also enhance processes.
The old-school cyber security approach of a castle surrounded by a moat as the primary means of defense no longer works. The concept of a physical security perimeter has all but disappeared. The workplace is not only collaborative, but it is also mobile, virtual and distributed without physical boundaries. User access and applications must accommodate this change as well as the security processes necessary to protect data.
See Related: Successful Cyber Budgets And Risk Reduction With Diverse Stakeholders
Security Practices Evolve With The Organization
As the enterprise grows, the workforce can no longer be the front lines for identifying new threats, such as phishing attacks. This parallels the change in development, which has evolved from a waterfall process to agile, continuous deployment. Security should avoid being the enforcer and saying “no,” which will not endear security teams to the rest of the business.
The webinar also addressed several questions related to identifying security champions including:
- The biggest barriers to getting cooperation from other teams
- Whether it is more important to start with process or technology first
- Suggestions for collaborating in a multinational, cross-border environment
- The best approach to pitching the importance of security to your stakeholders
See Related: Webinar - How To Create Enterprise Security Champions
