Building a security & risk conscious culture: How Ciena balances opportunity and responsibility

Cybersecurity goes beyond tools, controls, and incident response. It reflects how an organization understands risk, makes informed decisions, and balances innovation with responsibility. At Ciena, fostering a security and risk conscious culture is central to how we protect our operations, support our customers and innovation, and operate responsibly within an increasingly complex threat landscape.

In some of our previous blogs, we’ve shared how our security program is guided by clear strategic priorities, supported by a confidently compliant control environment, and strengthened through resilient operations built on trust, people, and purpose. In this blog, we bring those elements together by focusing on culture and how we embed a common risk awareness, accountability, and a shared responsibility model across the enterprise, with a strong emphasis on the human element of cybersecurity.

Awareness, analysis, and balance

A security and risk-conscious culture doesn’t mean avoiding risk; it means understanding it at a level of depth to make informed, confident decisions.

At Ciena, enterprise cybersecurity risk is considered alongside other enterprise risk and business objectives. This integrated approach allows teams to pursue opportunities while remaining mindful of potential impacts to our customers, operations, and the broader ecosystem. By consistently assessing risk in context, we help ensure that decisions reflect both opportunity and responsibility.

Consistent security risk management practices

Effective risk management depends on consistency. Ciena uses enterprise-wide practices to identify, assess, and communicate security risks.

These practices include structured approaches for risk intake and evaluation, clearly defined risk tolerance and target states aligned with business priorities, and reporting mechanisms that give leadership visibility into risks that could impact our operations. Shared frameworks and a common vocabulary help ensure security risks are understood across the organization—not just within security teams, but across the business functions that influence our cybersecurity posture.

Focusing on what matters most

Organizations must balance availability of resources and tolerance for risk.

Here at Ciena, we direct resources towards managing the security risks with the greatest potential impact to our customers, operations, and strategic objectives. This risk-informed prioritization helps guide investments in controls, capabilities, and awareness, ensuring time, budget, and effort are applied where they deliver the most value.

Collaboration across the business

Cybersecurity is not owned by a single team; it is a shared responsibility shaped by decisions made.

Ciena fosters collaboration among security, IT, engineering, legal, compliance, procurement, and operational teams. These partnerships help inform risk awareness into business activities, which can include system design and supplier engagement to data handling and operational planning.

Regular communication reinforces this shared responsibility. Security risks and priorities are discussed with executive leadership and reported transparently to the Board of Directors, supporting informed oversight and alignment. Equally important are open channels throughout the organization that encourage employees to ask questions, report concerns, and share ideas, helping surface risks earlier and strengthen collective accountability.

Managing third-party risk

Modern cybersecurity risk extends beyond organizational boundaries.

Ciena actively manages the security risk associated with third-party relationships, particularly in a global and interconnected supply chain. Defined governance, assessment, and oversight practices, closely integrated with procurement, help us better understand and manage these risks, protecting both Ciena and the customers who depend on our solutions.

Developing a security-conscious workforce

People are central to an effective cybersecurity program. Ciena continues to invest in developing a security-conscious workforce through training and engagement that is threat-informed, industry-specific, and continuously evaluated.

Our training program is designed around risks relevant to the industries we serve and is regularly reviewed to align with recognized frameworks such as NIST and ISO, evolving regulations and emerging threat trends. Employees receive foundational cybersecurity training to establish a shared baseline, along with targeted education for different risk profiles.

Ongoing phishing simulations are intentionally calibrated to realistic attacker behavior and measured using program‑level metrics. These insights help inform targeted reinforcement and continuously reduce organizational exposure. Scenario‑based learning and year‑round awareness initiatives further connect everyday decisions to real‑world cybersecurity outcomes, helping make secure behaviors practical and sustainable.

The human element of risk

While technology is critical, culture ultimately determines how effectively it is used.

A strong security and risk-conscious culture depends on leadership, accountability, empowered employees, open communication, and trust. By focusing on how people understand, perceive and respond to risk, Ciena works to ensure cybersecurity becomes a natural part of how work gets done, not an afterthought.

Trust through shared risk ownership

At Ciena, cybersecurity is not a standalone program or a checklist; it is a mindset grounded in awareness, analysis, and shared responsibility.

By fostering a security and risk conscious culture, we aim to protect our customers, enable innovation, and manage cyber risk in a way that is thoughtful, transparent, and aligned with our values. This approach strengthens our security posture and reinforces the trust our customers and partners place in us every day.