Companies are busy upgrading their systems, hiring employees and partnering with third parties to keep up with the pace of change. So, what do IT leaders need to prioritize to be sure their efforts have both an immediate and long-term impact on the integrity of their networks and systems?
The first step is to develop a strategy that brings an organization together to understand WHY cybersecurity is the responsibility of all employees. From there, it’s about what role all individuals can take in building a level of defense that suits a particular organization’s size and needs.
While the following five suggestions are not exhaustive by any means, they will certainly strengthen your security posture, have a meaningful impact and – best of all – are relatively easy to implement by leveraging current resources.
Security is not one person or one team’s responsibility. A security strategy needs to be embedded in your organization on multiple levels and across departments. Consider creating a security council that has representatives from the various business units in your company. Having different perspectives will bring unique ideas to the table and can also enable organizational alignment on the prioritization of threat protection. Likewise, build and/or expand your network outside of your company to extend the discussion around potential issues and learn about new threat mitigation strategies.
Deputize Security Advocates:
There is always a group of employees who hold security in higher esteem than others. It is important that you identify those resources and leverage their expertise. They are often the best to learn and take counsel from because they have their ear to the ground … in some cases, even more than some engineers. These advocates are also often the ones who will technically train others and recommend new ideas and approaches to solve problems. Consider having these individuals lead special security projects or, perhaps, ask that they represent security for their respective function or business unit.
Institute Awareness Programs:
The first line of defense in any company is your employee base. Through continuous training, employees can alert your security team to things that look suspicious. Teach them about cyber-attacks, social engineering, phishing, etc. and do it in multiple ways across multiple mechanisms (email updates, blog posts, posters, online training). The more your employees know, the more they will be on guard and will help you defend.
Engage the C-suite:
It is imperative that the CEO and other C-suite executives are advocates and participants in security issues and discussions. When leaders discuss concerns, others take notice. Be creative, too!! Ask your executives to talk about security in their ‘All Hands’ employee meetings; to send out an email about a particular security topic; to blog about it; etc. I know one senior executive who dressed up as a fisherman at an employee meeting and spent time talking about the importance of security and that phishing was no joke. It drove the point home.
Check Your Incident Management Process:
Most companies have a process to follow for day-to-day issues that arise when something goes wrong – like when an application goes offline or a video isn’t working. Make sure that your incident management process can be followed for security events, too. The only real difference to consider is the escalation path and who to involve during an event. Security events can be highly sensitive so you may be selective of who to involve – or not involve – depending on the issue. The bottom line is you do not want to worry about who or when to involve someone during a crisis. Be sure to frequently test your process from time to time as well.
Blue Star Security will help protect your people, your physical assets, your corporate data and your intellectual property on a global scale. Contact us TODAY to schedule a FREE security assessment!!!