5 Tips To Improve Your Corporate Security Program
With the continued proliferation of data breaches and other network security threats, cybersecurity spending is projected to climb to US$90 billion worldwide this year. As such, more companies are looking to build robust IT organizations with enhanced capabilities to combat the ever-evolving cyber threats. Companies are busy upgrading their systems, hiring employees and partnering with third parties to keep up with the pace of change. So, what do IT leaders need to prioritize to be sure their efforts have both an immediate and long-term impact on the integrity of their networks and systems?
The first step is to develop a strategy that brings an organization together to understand WHY cybersecurity is the responsibility of all employees. From there, it’s about what role all individuals can take in building a level of defense that suits a particular organization’s size and needs. While the following five suggestions are not exhaustive by any means, they will certainly strengthen your security posture, have a meaningful impact and – best of all – are relatively easy to implement by leveraging current resources.
These five tips will strengthen your security posture, have a meaningful impact and – best of all – are relatively easy to implement by leveraging current resources.
Security is not one person or one team's responsibility. A security strategy needs to be embedded in your organization on multiple levels and across departments. Consider creating a security council that has representatives from the various business units in your company. Having different perspectives will bring unique ideas to the table and can also enable organizational alignment on the prioritization of threat protection. Likewise, build and/or expand your network outside of your company to extend the discussion around potential issues and learn about new threat mitigation strategies.
Deputize Security Advocates
There is always a group of employees who hold security in higher esteem than others. It is important that you identify those resources and leverage their expertise. They are often the best to learn and take counsel from because they have their ear to the ground … in some cases, even more than some engineers. These advocates are also often the ones who will technically train others and recommend new ideas and approaches to solve problems. Consider having these individuals lead special security projects or, perhaps, ask that they represent security for their respective function or business unit.
Institute Awareness Programs
The first line of defense in any company is your employee base. Through continuous training, employees can alert your security team to things that look suspicious. Teach them about cyberattacks, social engineering, phishing, etc. and do it in multiple ways across multiple mechanisms (email updates, blog posts, posters, online training). The more your employees know, the more they will be on guard and will help you defend.
Engage the C-suite
It is imperative that the CEO and other C-suite executives are advocates and participants in security issues and discussions. When leaders discuss concerns, others take notice. Be creative, too. Ask your executives to talk about security in their ‘All Hands’ employee meetings; to send out an email about a particular security topic; to blog about it; etc. I know one senior executive who dressed up as a fisherman at an employee meeting and spent time talking about the importance of security and that phishing was no joke. It drove the point home.
Check Your Incident Management Process
Most companies have a process to follow for day-to-day issues that arise when something goes wrong - like when an application goes offline or a video isn't working. Make sure that your incident management process can be followed for security events, too. The only real difference to consider is the escalation path and who to involve during an event. Security events can be highly sensitive so you may be selective of who to involve – or not involve – depending on the issue. The bottom line is you do not want to worry about who or when to involve someone during a crisis. Be sure to frequently test your process from time to time as well.
Cyber threats are now a part of day-to-day business that organizations must face and address. CIOs and IT leaders must never let their guards down, frequently evaluating the technologies and resources the company uses to ensure they have the right defenses in place to anticipate, respond and resolve possible threats. Central to IT leadership’s approach is a strategy to kick start integrating a cyber threat program across the organization – especially one that leverages existing company resources. While IT leaders will always need to invest in new solutions, they must also invest in keeping employees and leadership informed so that they can properly manage their security program to its fullest.
This article was originally published in Forbes.