Four Steps For Better Security Adoption

Categories Leadership, Tech for Non-Tech

Education drives security apoption

There is a plethora of articles on security adoption and the end user. Security companies have coined terms such as Human Firewall to stress the importance of vigilance of security in your company. But, it seems that there remains in a disconnect in how important cybersecurity is. We must bridge the divide between our users and arcane policies, and this takes more than a carrot and stick approach. Let’s explore four steps to improving security across organizations.

Defense is the best offense

I received feedback that it is too much to ask an employee to stay compliant with security. Let that sink in for a second. Would your customer want to hear that? Large BYOD and Acceptable Use policies full of technical jargon are commonplace, which does make them difficult to digest. But, these documents are a necessity to ensure there is a baseline of what we expect from our employees.

Without these documents, we would be in a wild west with our employees unaware of what they can and cannot do. Further, it sets guidelines on what they should look out for: unsecured networks, phishing emails, and expected training.

These documents are full of technical jargon, and this is why need to ensure that we pull out the most important pieces and explain them. Make sure that our employees feel comfortable coming to our IT or Security departments with questions or concerns. The second that employees are not comfortable asking questions is the second that we lose a great resource.

Balance business responsiveness with confidentiality
What is the worse headline: Customer inconvenienced by waiting a few hours or company experiences data breach due to man in the middle attack costing customer $1M. Chances are that you chose the latter.

We live in a world where we are expected to be plugged in constantly, to respond to clients’ needs instantaneous. The fact that we are able to login anywhere allows us to do so. However, just because we can reach the internet does not mean we should send confidential information over an unencrypted medium. Email is susceptible, we encrypt it at rest, but it is just too hard to protect on multiple mobile devices.

Schools must teach technology

Technology has had a tremendous impact on business over the past three decades, and especially over the past five years. It is no wonder with the massive growth in technology that businesses have not been able to keep up.

Leaders in Business Schools across the country are expected to learn the fundamentals of finance, accounting, marketing, economics, and operations. But, in far too many programs one vitally important subject is missing: technology.

I am not expecting fresh MBA’s to know how to code, or implement a risk management plan. But, I expect them to be able to converse intelligently with their colleagues in IT just as they would be expected to in accounting or marketing. Technology is a large part of the enterprise and must be understood as well as any other functional area. As companies build digital strategies, it is becoming more vital to understand these premises.

Take in point that one of my MBA peers that I graduated with recently asked, “was SQL a big thing 5 years ago? Should we have been taught this? Why didn’t we know??” Our future business leaders need to be aware of technology concepts in order to drive value for stakeholders. We need to establish baseline language across the enterprise.

Make analogies between business and personal

We go to great lengths to protect business assets. We implement firewalls, install antivirus, phishing monitors IPS, IDS, and audit logs. This instills a sense of security with our users and stakeholders that our data will not be breached. We push policies to our employees that they watch for unsecured networks, avoid phisihing emails, and restrict passwords. Inevitably, we receive feedback that it is too hard to do, or how would they know, it’s not their job.

However, we are not asking our users to do anything different than they should be doing for their personal devices. In fact, our practices will save them the frustration of seeing a bank account emptied, or their personal laptop frozen by ransomware. We are in an age where we must stay secure: we lock the doors to our vehicles and homes, we must also lock the doors to our devices.

We are in it together

If we train our employees to be aware of best practices and use them in their personal life, then it will become second nature in their business life. These skills transfer across companies and we should team together to drive security awareness. We are in this fight together. We all need to work harder to use easier language to convey the importance of security and technology to our users. People struggle to embrace what they cannot understand.