Making Security Part of Your Culture
Estimated reading time: 20 minute(s)
All organizations must re-think how they manage their business as it relates to security, and in the case of solution providers specifically, how they deliver secure solutions to customers as well. Many vendors still haphazardly think of cybersecurity as a box that just has to get checked in an RFP in order to successfully sell their solutions. As if it was simply a matter of buying security off the shelf. However, the days of installing virus protection on computers and calling it good have long been over.
Many executives still roll their eyes when discussions turn to cybersecurity. However, in today’s tech-driven world, it’s impossible to overlook the risks and exposure that cybersecurity threats pose to virtually every business. Billions of dollars are spent every year on defending against, and in some cases acquiescing to ransomware attacks, which are just one varietal of the many cybersecurity threats that are now prevalent.
Bringing Security Front and Center
Security now must be front and center with a core commitment that encapsulates all aspects of a business, including both internal and external factors. Security must be cultural in an organization and be given the same consistent commitment and investment that makes is a core business priority, no different than you would a quality initiative.
Instilling a strong security culture (i.e., mindset and mode of operation) must be ingrained in corporate philosophy in order for it to be effective and maintained. It is not a project that has a start and an end date, but more a sustainable program that must continually advance and evolve through continued investment in order to keep up with the ever-changing and new threats. It’s no longer an IT- or Engineering-only issue. It’s top down, bottom up, cross department, cross vendor, and should be prominently considered as part of virtually every significant business decision. It must be instilled in the culture.
So how do you make security cultural in an organization?
You can’t simply wake up one morning and proclaim your solutions or organization are secure. There is a progression to security that enables some organizations to be more secure than others and the timelines to hardening security can typically be measured in years, not weeks or months. As with any other cultural growth initiative in an organization, it must start as an executive commitment and/or charter.
Most manufacturing and software organizations have a charter that states something related to “delivering quality solutions.” Security should be put on a similar pedestal. In fact, I would argue it’s a core component of achieving quality today. How can you say you deliver a quality solution if your customer’s data centers, networks or other assets are unnecessarily subject to security breaches as a result of vulnerabilities in your solution? Does security not then become a quality-impacting issue? The ability of your solution to maintain availability, confidentiality, and integrity within a customer environment is as much a factor of quality as any material defects or bugs are.
It starts with a corporate charter that identifies security as a priority to be considered in daily, weekly, monthly, quarterly and annual planning. Like any other organizational charter, leadership must make room for the investment and resourcing required to make the security program a success. This is by far the biggest issue many companies face in moving towards security hardening – underestimating the resource and investment requirements to make it successful and sustainable.
Once an executive commitment, funding plan, and directive have been established, the next step is to define a specific security standard/program to follow. It’s important to formalize a security program framework with a documented set of information security policies, procedures, guidelines, and standards. The framework provides a common language for understanding, managing, and expressing cybersecurity risks and goals to internal and external stakeholders.
There are many security frameworks, such as the one developed by the National Institute of Standards & Technology (NIST) as it’s guidelines for cybersecurity. NIST best practices generally apply to physical security, policies, training, IT networks and communications systems. The current version of the NIST framework can be found at here.
Any security program should include a road map for effective security management practices and controls. Having a security program will help ensure the confidentiality, integrity, and availability of the solutions provided, as well as protect business networks and operations.
Using a framework helps identify and prioritize actions for reducing cybersecurity risk, as well as align business policies and technological approaches to managing risk. Many companies hire specialized consulting firms to help organize and implement a security framework. But whether consultants or internal resources are leveraged, it should be run as a formalized program within the organization.
Identify Security Profile
Once a security framework is established, the next step is to identify the current security profile based on the guidelines identified in the framework. This basically means identifying the current state in meeting the guidelines and what level of policy and process are in place to achieve success. For example, as a high level NIST breaks this evaluation down into four tiers:
• Tier1 Partial – Ad-hoc and reactive
• Tier2 Risk Informed – Approved policy and process in rolling out program
• Tier3 Repeatable – Actively exercise policy and processes with change control implemented
• Tier4 Adaptive – Policy is adapted to real cybersecurity activities
This is a key component to developing and improving a security culture. The organization needs to be honest about its current state and starting point relative to the cybersecurity guidelines. Self-assessment will require cross department representation and can take a significant investment of time to do thoroughly and accurately. Fortunately, once you have completed this foundational work it will be much easier to maintain your profile going forward.
Prioritize Cybersecurity Gaps
The next step is to prioritize cybersecurity gaps (i.e., vulnerabilities) and identify what changes need to be made (i.e., target profile) within a specific timeline (i.e., road map) that makes sense and is practical for the business. Prioritization of items in the target profile is based on addressing items that pose the highest risk to the business first. This should be an iterative process, continually improving and expanding the security profile towards achieving Tier4 compliance.
Rolling out a successful security program means getting all employees trained and providing clear visibility to the program and status. Visibility to the program across all levels of the organization is key, and it should be integrated into core business processes (e.g., product life-cycle process and program management office).
Creating a cyber-secure culture requires giving security the same level of attention as other core organizational objectives. Creating response plans to cybersecurity threats to the organization is only one facet. Others include customer recovery support plans and standardized assessments of potential risks posed by chosen partners and vendors.
To make security cultural, it must be a center piece of the organization’s mission, vision and values.
By: Gary Stidham
Want to know about new posts? Subscribe today and receive periodic alerts on what’s new on the Zetron Z-wire blog!