What does it mean to make cybersecurity a business priority?
It means making security much more relevant, making sure it is understood and incorporated into everyone’s day-to-day work. Sometimes, cybersecurity can be viewed as strictly a technical subject. “It's for the IT team, or the security team.” Our approach has been to say, “yes, it's led by technology, but it's more pervasive and it’s relevant and critical to absolutely everyone.” That's the theme we've been going after. Steve: What brought about this approach? Was it news of breaches at other large organizations? Joe: I wouldn't say the security incidents at Equifax, Target, and so on were the catalyst. We are a technology business ourselves, so this has always been a pressing subject - how do we make security much more relevant, or pervasive to everyone, and not just viewed as a technical subject? We believe that all our employees - not just technology employees - are part of the security regimen and our defense situation.
If security is done well in an organization, it's one part technical controls, one part risk management, and one part organizational behavior.
If you go on a job website and look through information security job listings, you'd have to page through dozens and dozens of postings before you find a single one that mentions the softer skills of organizational change management or organizational behavior. Security today is so intensely focused on technical controls, but that produces security that is “bolted-on” instead of “built-in”. Instead of relying mostly on external tools, penetration tests, and things like that to find the flaws in other people’s work, why not engage with people at a different level and help them see where you're trying to go and give them the motivation to go along on that journey with you. That's really what we're trying to accomplish.
Read the rest at Heller Search Blog