Making Security Part of Your Culture

Estimated reading time: 20 minute(s)

By: Gary Stidham

All organizations must re-think how they manage their business as it relates to security, and in the case of solution providers specifically, how they deliver secure solutions to customers as well. Many vendors still haphazardly think of cybersecurity as a box that just has to get checked in an RFP in order to successfully sell their solutions. As if it was simply a matter of buying security off the shelf. However, the days of installing virus protection on computers and calling it good have long been over.
Many executives still roll their eyes when discussions turn to cybersecurity. However, in today’s tech-driven world, it’s impossible to overlook the risks and exposure that cybersecurity threats pose to virtually every business. Billions of dollars are spent every year on defending against, and in some cases acquiescing to ransomware attacks, which are just one varietal of the many cybersecurity threats that are now prevalent.

Bringing Security Front and Center

Security now must be front and center with a core commitment that encapsulates all aspects of a business, including both internal and external factors. Security must be cultural in an organization and be given the same consistent commitment and investment that makes is a core business priority, no different than you would a quality initiative.

Instilling a strong security culture (i.e., mindset and mode of operation) must be ingrained in corporate philosophy in order for it to be effective and maintained. It is not a project that has a start and an end date, but more a sustainable program that must continually advance and evolve through continued investment in order to keep up with the ever-changing and new threats. It’s no longer an IT- or Engineering-only issue. It’s top down, bottom up, cross department, cross vendor, and should be prominently considered as part of virtually every significant business decision. It must be instilled in the culture.

So how do you make security cultural in an organization?

You can’t simply wake up one morning and proclaim your solutions or organization are secure. There is a progression to security that enables some organizations to be more secure than others and the timelines to hardening security can typically be measured in years, not weeks or months. As with any other cultural growth initiative in an organization, it must start as an executive commitment and/or charter.

Most manufacturing and software organizations have a charter that states something related to “delivering quality solutions.” Security should be put on a similar pedestal. In fact, I would argue it’s a core component of achieving quality today. How can you say you deliver a quality solution if your customer’s data centers, networks or other assets are unnecessarily subject to security breaches as a result of vulnerabilities in your solution? Does security not then become a quality-impacting issue? The ability of your solution to maintain availability, confidentiality, and integrity within a customer environment is as much a factor of quality as any material defects or bugs are.

It starts with a corporate charter that identifies security as a priority to be considered in daily, weekly, monthly, quarterly and annual planning. Like any other organizational charter, leadership must make room for the investment and resourcing required to make the security program a success. This is by far the biggest issue many companies face in moving towards security hardening – underestimating the resource and investment requirements to make it successful and sustainable.

Once an executive commitment, funding plan, and directive have been established, the next step is to define a specific security standard/program to follow. It’s important to formalize a security program framework with a documented set of information security policies, procedures, guidelines, and standards. The framework provides a common language for understanding, managing, and expressing cybersecurity risks and goals to internal and external stakeholders.

Security Frameworks

There are many security frameworks, such as the one developed by the National Institute of Standards & Technology (NIST) as it’s guidelines for cybersecurity. NIST best practices generally apply to physical security, policies, training, IT networks and communications systems. The current version of the NIST framework can be found at here.

Any security program should include a road map for effective security management practices and controls. Having a security program will help ensure the confidentiality, integrity, and availability of the solutions provided, as well as protect business networks and operations.

Using a framework helps identify and prioritize actions for reducing cybersecurity risk, as well as align business policies and technological approaches to managing risk. Many companies hire specialized consulting firms to help organize and implement a security framework. But whether consultants or internal resources are leveraged, it should be run as a formalized program within the organization.

Identify Security Profile

Once a security framework is established, the next step is to identify the current security profile based on the guidelines identified in the framework. This basically means identifying the current state in meeting the guidelines and what level of policy and process are in place to achieve success. For example, as a high level NIST breaks this evaluation down into four tiers:

• Tier1 Partial – Ad-hoc and reactive
• Tier2 Risk Informed – Approved policy and process in rolling out program
• Tier3 Repeatable – Actively exercise policy and processes with change control implemented
• Tier4 Adaptive – Policy is adapted to real cybersecurity activities

This is a key component to developing and improving a security culture. The organization needs to be honest about its current state and starting point relative to the cybersecurity guidelines. Self-assessment will require cross department representation and can take a significant investment of time to do thoroughly and accurately. Fortunately, once you have completed this foundational work it will be much easier to maintain your profile going forward.

Prioritize Cybersecurity Gaps

The next step is to prioritize cybersecurity gaps (i.e., vulnerabilities) and identify what changes need to be made (i.e., target profile) within a specific timeline (i.e., road map) that makes sense and is practical for the business. Prioritization of items in the target profile is based on addressing items that pose the highest risk to the business first. This should be an iterative process, continually improving and expanding the security profile towards achieving Tier4 compliance.

Rolling out a successful security program means getting all employees trained and providing clear visibility to the program and status. Visibility to the program across all levels of the organization is key, and it should be integrated into core business processes (e.g., product life-cycle process and program management office).

Creating a cyber-secure culture requires giving security the same level of attention as other core organizational objectives. Creating response plans to cybersecurity threats to the organization is only one facet. Others include customer recovery support plans and standardized assessments of potential risks posed by chosen partners and vendors.

To make security cultural, it must be a center piece of the organization’s mission, vision and values.

Want to know about new posts? Subscribe today and receive periodic alerts on what’s new on the Zetron Z-wire blog!

Share:

Leave a Reply

Popular Posts

Subscribe to our Blog

Subscribe to Z-Wire today to get updates on new content.

Have a question about the Blog?

Send us your questions, comments or if you’d like to contribute a post click here.

Related Posts

Woman in glasses high fiving another person.

How Did 2021 PSAP Wellness Predictions Hold Up?

In 2021, Zetron surveyed emergency communications professionals during major public safety communications events in North America, including the NENA and APCO annual conferences, then used the response data to publish predictions for 2022 public safety answering point (PSAP) wellness trends.

Read More
Airport gate directional sign

Airport Communications Are a Mission Critical Component

Over the years, air travel has experienced considerable fluctuations in growth, most recently with the global pandemic. In 2022, air travel in the United States was up 55%, to 917 million passengers. Which is lower than in 2019, but the numbers are increasing on a yearly basis with air travel numbers projected to meet or exceed pre-pandemic levels in the next year or two. Airports worldwide are experiencing a similar rebound of passengers traveling more, making airport security and communications an even greater mission-critical safety component.

Read More
Upset person

Reimagining the Public Safety Response to Mental Health Crisis Calls

As the number of emergency calls involving mental health issues continues to rise, we often hear reports of mental health situations getting out of hand, and sometimes ending with tragic results. Additionally, it’s important for first responders dealing with these and other emergency situations to take care of their personal mental health. With all of this in mind, Zetron published an eBook that explores these topics.

Read More
Day in the life

Day in the Life: Lacey Greaney

In this edition we had the pleasure of talking with Lacey Greaney who is the Communication Infrastructure Manager at Calcasieu Parish Sheriff’s Office. She talks about her current role and responsibilities, as well as sharing an incredible story from when she was a dispatcher. During Hurricane Laura in 2020, their emergency call center had to deal with some harrowing circumstances while handling calls. This included the hurricane destroying their space while everyone was sick with COVID-19.

Read More