Massive data breaches have become the new reality, and they confirm that one of the biggest challenges companies face when it comes to security: a company’s biggest shortcomings are often not apparent until data breaches or other emergencies occur. As a result, adequately preparing for the worst and getting employees at every level of the company to give security the attention that it needs remain the key priorities for chief security officers.
Bridging the gap between management and lower-level employees is a particular challenge. Even when companies proactively introduce processes or frameworks that improve their security, I find things can break down when it comes to implementation.
Management may put in place a new security framework, document all new procedures, train staff, and even get an independent certification, but all of this will accomplish nothing if other employees continue to do what they were doing in the first place. Furthermore, the false sense of security provided by the mere existence of a new security framework or technology can make it easy for employees at every level to become complacent and assume their security is assured.
In reality, security processes must constantly evolve based on discussions between the chief security officer, management, and employees in every business unit, accounting for emerging risks, new technologies, and recently uncovered vulnerabilities.
Chief security officers need to first and foremost ensure that a solid understanding exists between the security team and the business units. There is no way that anyone could understand the nuances of a business unit’s capabilities, processes, assets, and services to the extent the unit itself does, so it is tremendously important for a chief security officer to meet with each unit and develop a comprehensive security plan, which is aligned on the corporate level. Only by gaining a more complete understanding of the unique needs of a business unit can a chief security officer develop safeguards that reduce risks.
Based on these discussions with the various business units, the security team offers suggestions that address the unit’s needs and concerns. Maybe a unit should consider outsourcing some processes, or perhaps one program does not require the same security measures that another does, or sometimes more resources might be needed. A skilled chief security officer will be able to guide the department head through the available options to find the right balance between the necessary investment and reduction of the risk it will bring.
However, the aspect that I consider to be most important when it comes to security is establishing trust between the chief security officer, key staff at every level of the company, and the management team. The chief security officer needs to ensure that employees at every level feel confident that when there’s a security issue, someone on the team will listen to them and help them determine what needs to be done in a way that addresses the issue proportionally to the risk.
Sometimes all this takes is for the chief security officer to go to lunch with the sales team or with an engineering team to hear their concerns firsthand and build a relationship that makes employees feel comfortable raising concerns in the future—before a security issue becomes critical. These meetings can also help employees understand the reasoning behind the existing security framework and may make them more likely to take security procedures more seriously.
It can be challenging to make the case to focus on security at the executive level. The management team may feel security is too complex to even discuss or that it’s pointless to invest so much time and money when nothing has gone wrong. On top of that, the executives should be focused on the overall business strategies. Apart from the rare situations like a decision to implement a new security or privacy framework, or the event of an unacceptable exposure or risk, there should be no reason for security to be explicitly brought to the boardroom. Therefore, it is essential that everyone in senior management understands the security exposure in their department and accepts the responsibility to mitigate it it as an integral part of their job, from strategic decisions to daily operations tasks.
Having a management team that truly understands how security relates to company operations is a tremendous asset to a chief security officer and makes it easier to justify investments that keep data secure in the same way that the business justifies investment.
With so many variables to account for in different departments and at different management levels, nothing can be completely secure. Security is a continuous process in your technology, your processes, and your people, and it’s a multi-level responsibility held by everyone in the company. Conveying that message, building trust, and addressing concerns as they arise in an appropriate and business-friendly manner will go a long way toward ensuring an effective security policy.