Every security department has a limitation: it can’t be on the front lines of every business activity all the time. The charge to make security everyone’s responsibility is vital for a security program to succeed.
“As technology becomes more ubiquitous and the threat landscape continues to evolve, organizations can no longer rely solely on their security teams to protect against cyberattacks. Everyone within an organization is a potential target and must be prepared to respond,” said Rama Balla, cloud/cyber security architect, Macquarie Group.
Art Ocain (@ArtIsGrowth), CIO and CISO, Airiam, added, “In an era where cunning insider-threat attacks like Lapsus$ prey on corporate employees, it’s crucial to foster a culture that not only raises security awareness but also motivates people to actively safeguard the organization.”
We asked our community of experts for their suggestions for getting everyone onboard and committed to a positive security culture. Here are 20 recommendations from 38 of your colleagues and peers.
Got feedback? Join the discussion on LinkedIn.
Thanks to our sponsor, Code42
1. We all belong in both camps: the business and its security process
“From the janitor to the CEO, the goal from leadership should be to impress upon people that together we are stronger and that because we’re all interconnected we all help to defend each other,” said Nick Espinosa (@NickAEsp), chief security fanatic, Security Fanatics.
“Just the same way we say ‘everyone is responsible for keeping costs reasonable’ why would we exclude certain people from cybersecurity responsibilities,” asked Ed Covert (@ebcovert3), head of cyber risk engineering, Bowhead Specialty. Benjamin Schine, information security analyst, Corvid Cyberdefense, drove home the point: “Even if you’re the temp in a mailroom, you’ll still get emails from a company, from onboarding to regular company communication, and this means you’re part of the security process.”
2. Cybersecurity isn’t just for the geeks
“Cybersecurity is no longer just a technology problem, it’s a business problem. With the increasing number of security incidents happening with companies’ third and fourth parties, business resilience is a critical component of everyone’s responsibility,” said Ariel Weintraub (@SecurityMermaid), head of enterprise cyber security, MassMutual.
John Overbaugh, CISO, ASG, summed it up: ”Sometimes the answer isn’t tech, it’s internal process.”
3. Make it personal: It’s your problem.
“The way I get everyone to understand that security is everyone’s responsibility is to make the security problem personal for people – so they can understand how it can impact their personal digital computing first and then how it makes the business successful,” said Patti Titus (@RUSecur), chief privacy and information security officer, Markel.
“We’ve missed the mark by teaching security from the business perspective only. Instead, we need to teach people to be security conscious in their personal lives. They will bring that to work and benefit the company,” added Patrick Benoit (@patrickbenoit), global CISO, Brinks.
“Security means the protection of their own data, and the data of their friends, families, and clients, such as social security numbers, credit cards, and health information,” explained Matthew Radolec, senior director, incident response and cloud operations, Varonis.
“If your organization uses a BYOD approach to mobile device management, then this individual education needs to be more strongly stressed,” said George Al-Koura (@GeorgeAlKoura), CISO, ruby. “The question in people’s minds,” said Chad Warner, founder and website security analyst, OptimWise, is, “’What’s in it for me?’ You need to show them how security will benefit them directly in their role. Make the benefits as tangible as possible.”
4. What, Me Worry? Eliminate complacency
“Build security culture by educating against the ‘it can’t happen to me’ mindset. We’re still talking to a lot of organizations that have a poor security posture and have no urgency to do anything about it,” explained Hwei Oh (@Hweiout), CISO, SolCyber.
“Often, people are too busy to think about security and the bad things that ‘only might’ happen. Be clear with everyone, regardless of their role, as to what cyber security threats they could face and use real-world examples, so that it’s something they actually think about,” suggested David Ratner (@davidhratner), CEO, HYAS.
5. Choose the carrot over the stick
“Most companies use some form of simulated phishing messages as part of awareness education and testing,” said Renee Guttmann, founder, CisoHive. “Seeing employees being penalized for failing phishing tests caused me to reflect on whether employees would be more engaged if we rewarded them for success. Suddenly the phishing tests were seen as positive due to the competition we could create across departments.”
“Rewarding employees (management included) who demonstrate good security behavior, such as reporting incidents or identifying vulnerabilities, helps promote a culture of security awareness, threat detection, and responsibility where employees feel comfortable reporting incidents without fear of reprisal,” offered Dimitri van Zantvliet, CISO, Dutch Railways.
“Create allies, rather than adversaries,” said Jadee Hanson, CIO and CISO, Code42, “Use empathy. When we are alerted to an employee doing something they shouldn’t, a member of the security team will reach out via Slack with a friendly ‘Hey, did you mean to do this?’ Nine times out of ten the employee was not acting maliciously. This simple interaction allows us to correct the behavior.”
6. Make it a top-down issue
“The Board and the C-suite are responsible for setting the tone when it comes to security,” said Macquarie Group’s Balla. “They must provide clear direction and guidance, allocate appropriate resources, and prioritize security as a key business objective.”
Security leadership is not just the responsibility of the CISOs. “The CMO, CRO, CIO, and especially CEO – everyone must champion the importance of a strong security culture,” said Gianna Whitver, marketing advisor, Votiro. But as Security Fanatics’ Espinosa observes, “That message is often lost, especially when you have a well-meaning CISO who doesn’t get the buy-in from the C-level or when the C-level thinks they’re too important to be trained as well.”
7. Make it about the “why”
We always recommend pushing the ‘why,’ said Phil Robinson, CMO, Lepide. “CISOs are very aware of the potential consequences for not changing a password, or not using MFA, but other employees might not be. The consequences of security breaches can be quite shocking to the uninitiated.” And when relevant, personalize the why. “Training must provide context for the business (why?) as well as the single employee (why me?),” said Anastasios Arampatzis (@TassosAramp) of Bora.
8. Make it part of the job, not an add-on
“The real way to make security everyone’s responsibility is to integrate those responsibilities into the functions of the role. Security is a responsibility that should be embedded, with each individual’s security-related duties shaped by their day-to-day responsibilities within the company,” said Hadas Cassorla, CISO, M1 Finance.
“New employees should receive security training as part of their onboarding process,” added Macquarie Group’s Balla.
“Give people concrete examples that directly apply to them and break them down by role,” explained Bryan Zimmer, head of security, Gretel.ai, “An example for engineering roles could be patching vulnerabilities within your SLA. If you’re ISO 27001 compliant, it’s a good idea to add these to your ‘Roles and Responsibilities’ policy, if you haven’t already.”
Security responsibilities change given job requirements and the situation an employee faces. “There is a big difference between expectations for a CFO who will travel overseas and a network engineer with elevated access. As a security champion, you should always speak to people at their individual level to ensure they understand the full extent of their security responsibilities. ” said Dr. Tim Nedyalkov, technology information security officer, Commonwealth Bank.
9. Don’t complicate the process of being secure
“Make it simple, make it easy, make it standard,” said Josh Mason (@joshua17sc), cybersecurity consultant, and instructor, Neuvik Solutions, who recalled what he learned in the Air Force. “Every base has guards that check your ID before letting you through the gate. Nobody has to think about it. It’s standardized, works the same way at every base, and occurs the same way every day. We have to make cybersecurity controls the same way: minimal, unobtrusive, and not up for debate. The only reason it feels like others don’t want to do security is because we make it hard, complicated, and annoying. They would gladly make it part of their job if it just makes sense and works.”
10. Let’s play Devil’s advocate: Is security actually everyone’s responsibility after all?
“’Security as everyone’s responsibility?’ That premise is flawed,” said Matt Chiodi (@mattchiodi), chief trust officer, Cerby, “and we have the last 20+ years as proof that it doesn’t work.”
Chiodi suggested we “automate the mundane security tasks often left in the hands of users who will never be, nor should they be, security professionals.” He used passwords as a key example, suggesting that “2FA setup, user onboarding or offboarding and critical tasks like password rotations should be automated and never left to the end user to complete manually.”
Andrew Robinson, founder and CISO, 6Clicks, concurs, “It risks becoming a finger pointing exercise. Security responsibilities cannot be shared across the organization as a replacement for a security team with a security leader who maintains accountability for its overall performance and has sufficient authority, budget, and expertise to go with it.”
11. Delegate security responsibilities to those who own the risks
“Where you will really move the needle is when you start assigning security ownership formally,” said ASG’s Overbaugh. “If your risks are only known to the security and IT teams, your risk management program is the problem. Risks should be assigned to the business owner of a system…. If you aren’t sure who should own the risk, do a hypothetical exercise: pretend the system went offline, and see who will scream the loudest. At this point, you probably know the business owner.”
12. No one learns everything the first day
“A security culture needs to be established and reinforced with consistency,” said ruby’s Al-Koura. “This is done by creating policies that clearly identify behavioral boundaries for staff and partners.”
“Repetition is always key to establishing and maintaining good security habits with teams,” added Alberto Silveira (@asilveir81), head of engineering, LawnStarter.
It’s a fundamental truth: we never change behavior through one single teaching. It requires a sequence of iterative learning opportunities, including the permission to make mistakes. Most companies lose out on achieving great security simply through time starvation. They do not allow enough time for adults to learn correctly.
13. Experience is the best teacher
“This may seem counter intuitive but I do not find broad reaching statements as helpful to our mission to raise workforce security IQ/EQ,” stated Mark Eggleston (@meggleston), CISO, CSC. “My take is to emphasize the need for training over awareness. For example, training should focus on how to spot a phish or BEC (business email compromise) email and where to report it.”
And whenever possible, “avoid canned videos, and opt for in-person or live virtual training,” suggested SolCyber’s Oh. Live virtual or in-person will probably be more expensive, but more effective, which in the long run will probably be cheaper given employees’ time and the cost of potential mistakes.
14. Even the smallest successes should be celebrated
“Highlight key wins, such as rewarding someone who reported a fraud/phishing email. This could be as simple as recognizing people during an all-hands meeting,” said SolCyber’s Oh.
For ongoing recognition look to gamification. Internal gamifying such as leaderboards can work well and create friendly competition. But either use it sporadically or change up the games periodically as people will eventually get bored of the games.
15. Security is a key ingredient of quality, not a side dish
“Take a page from the quality revolution in U.S. manufacturing,” said Dutch Schwartz, global head, security, strategic industries, Amazon Web Services. “It’s no longer thought of as a discrete separate activity. Reframing security as an aspect of quality allows all your employees across all departments to internalize that cybersecure operations is simply how things are done here. If security remains some other team’s job, then we will fail as a community.”
“If you lose customer data privacy, market share, long-term reputation, everyone sinks or survives on the same company ship,” said Julie Tsai (@446688), limited partner, Rain Capital Management.
“If security remains some other team’s job, then we will fail as a community,” added Schwartz.
16. It’s the nature of data to roam where it shouldn’t
“Data is like life in Jurassic Park,” said Brian Vecci (@brianthevecci), field CTO, Varonis, “It finds a way. If you don’t have good preventive controls, people will move data to and from places it’s not supposed to be. If you don’t have good detective controls, you’ll never know it’s happening. Automation becomes critical since you’ll never have enough people and time to fix everything.”
17. Who are the people with targets on their backs?
“High-risk individuals, those with access to sensitive data or systems, must be particularly vigilant when it comes to security. They must follow security policies and procedures, be aware of the latest threats and vulnerabilities, and report any potential security incidents immediately,” said Macquarie Group’s Balla.
People who hold specialist roles need additional and very specific training for their area of expertise. Their role also makes them a more prominent target, meaning there will be a need for greater and more frequent security training to match their heightened responsibilities. Another group who are key targets are new employees. It takes a while for new employees to even receive their security awareness training, and that leaves a big hole in a company’s defenses. They also are unlikely to know who the key people are – those who they can turn to for guidance, and those who might be impersonators. New employees want to do all the right things, and the attackers prey on that combination of “willingness to help” with “lack of knowing company procedures.”
18. Security requires vigilance AND it also needs conversation
Communication is vital to all aspects of business, but it’s essential when it comes to making security everyone’s business.
“As a new CISO one of the things I immediately realized is that cybersecurity is not a meaningful topic of conversation,” said Joseph Lewis, CISO, Centers for Disease Control and Prevention. “People think my job is to make systems FISMA compliant, rather than making them cybersecure. So, I do meet and greet tours to tailor value-driven conversations around cyber at their levels.”
“Not communicating creates skepticism, mistrust, and natural resistance,” cautioned Brett Conlon, CISO, American Century Investments.
“Translating security into a language they understand would benefit the C-suite and non-technical executives,” added Commonwealth Bank’s Nedyalkov.
“Not all roles and personas in an organization speak the same vernacular or have the same background and experience,” said David Cross (@MrDBCross), svp, CISO, Oracle SaaS Cloud . “When you can describe a challenge, problem or threat that everyone can understand and feel the risk or pain that will be felt at their individual level, they will be much more likely to align, join and help with improving security.”
Sandy Dunn (@subzer0girl), CISO, Shadowscape suggested, “using multiple channels with a consistent message. This could include weekly best practice tips, security awareness videos, cybercrime trend reports, role-specific lunch ‘n’ learns, and a searchable knowledge base. A little humor helps, too.”
19. Show, don’t tell
The phrase ‘we value the security of our customers’ is not enough,” said Benjamin Sapiro, security executive.
Words can stitch a plan together, but it takes action to fill it. Building on the “top-down issue” (item No. 6), senior leaders must demonstrate their personal commitment to security in everything they do, from the way they manage passwords to the way they demonstrate full understanding of their customers’ security priorities. They must be able to show how they value the security of their customers. “You’ll need an organizational change management (OCM)plan that sets out and drives tone from the top (the execs), and leadership in the middle (management),” Sapiro added. “Tone needs to be specific, measurable, and actionable. It must also be monitored.”
20. Stories of failures always help
“Like most cultural changes it starts with trust, transparency, and humility, and this means sharing your own mistakes,” suggested Brian Olearczyk, chief revenue officer, OwnBackup. “I saw a CEO share a story about being duped by a social engineering message. These stories help create a visceral response that shows that everyone is susceptible and therefore everyone is responsible.”
Mistakes are key to learning, and they are also more memorable than victories. The value of expressing failure is that it touches people on both an emotional and rational plane, and also ties the community closer together through commonly shared experience.
CONCLUSION: Build it, teach it, live it
The most dangerous security policy – even more dangerous than having none at all – is lip service because this gives people a false sense of a type of security that doesn’t truly exist. Instead, a practice of clear security techniques, built into the culture of an organization from all the directions listed above, teams the knowledge and the permission to carry it forward individually. As Ben Sapiro quoted, paraphrasing his colleague Jeevan Singh Sain, director of product security, Twilio, “Security culture is what happens when security people aren’t in the room.”