In addition to demonstrating quick wins so that your CEO will take data security seriously, you should also be planning for the long term by building strong security awareness within your organization.
When the FTC held a webcast on “Building a Security Culture,” I was very curious to hear what tips they had to share. The FTC is after all the nation’s de facto privacy enforcer.
Get the Free Pen Testing Active Directory Environments EBook
Here are the three big takeaways:
1. Security as a Core Value
During this discussion, many speakers explained why you need to build a security culture.
VP of Security at Microsoft, Matt Thomlinson was very keen on C-level involvement. He noted, “Organizational buy-in from the top gives your employees permission to do secure development…security needs to be a priority that comes before the next feature, as consumer trust and liability are on the line.”
And when you’re developing and building, FTC Commissioner Julie Brill recommended that organizations build security into their products from the beginning of their development process. This ensures that you can give security assurance to your users from the get-go.
- FTC’s Guidance on Security – a top 10 list
- Building Security in Maturity Model – based on the experience of top firms
- UK government’s five essential security controls
2. Security Expertise and Frameworks
This section of the discussion focused mostly on your organization’s security strategy.
Adam Shostack, author of Threat Modeling: Designing for Security, explained the concept of threat models by using an analogy, the security of a house. There are vulnerabilities you’re concerned with – doors, windows, garage – and so you want to make sure there are locks at all those weak spots.
You can use this same approach for IT security – think about what can go wrong and what you can do about it.
- There are many different types of conceptual security models or frameworks. Frameworks help you deal with complex security standards– they’re a great way to break down the security problem into actionable steps. Here are the ones they mentioned: NIST’s (National Institute of Standards and Technology) Critical Infrastructure Cybersecurity, SDL (Security Development Lifecycle), OWASP (Open Web Application Security Project), and CIS’s Critical Security Controls.
They concluded by reminding us that security is not something you do once, but requires continuous monitoring and reassessment.
3. How to Train
A huge part of security is training your workforce. My favorite idea was gamifying security training. How do you make security fun?
One company created Hack-tober. During the month of October, the IT security group got everyone else in the company to think about data security.
Another fun activity is getting employees to spot “tailgaters. These are cyber thieves who tail behind real employees as they enter the building, remaining undetected as they logon to unattended laptops or hack into the network with their own devices. It’s really a form of pretexting or social engineering, which is a top security threat.
You can raise tailgating awareness by having employees look for devices and people out of place. How about randomly leaving laptops tagged with a skull-and-crossbones stickers around the office and then see if anyone notices? Incentivize by offering gift cards .
Bottom line: gamify security!
The goal is to help your staff think about security, even when it’s not Hack-tober.