Building a culture of security is everyone’s responsibility

Before the digitisation of the workplace, security was more straightforward. The doors were locked at the end of the night. The workplace was secure. Now, every single device is a virtual door into a company’s operations. Every device is a portal for security vulnerabilities to be exposed.

In the same way that employees are expected to lock the doors to the office, operational security is everyone’s responsibility. To ensure that is embraced across the organisation, companies need to create a culture of security, empowering every single employee to protect the business and its assets.

“There’s this increasing desire to do digital transformation and modernise ways of working. That’s great. But there’s this paradigm shift that needs to occur. There’s a dichotomy between the need to digitally transform and also be secure in doing that,” says Red Hat’s principal cybersecurity lead Robert Erenberg-Andersen. He advises companies to prioritise both digital transformation and the embedding of a secure culture at the same time to ensure digital transformation is carried out safely and responsibly.

At a recent roundtable, experts shared their opinions on and experiences with operational security. They found that often security is seen as the natural opposite to digital transformation. It has also traditionally been the purview of the CISO or CIO alone. But a single person or team is not enough to build a secure business. The realities of the modern workplace also reflect that. Remote workers, nondesk- based workers and the proliferation of devices – from printers to tablets to mobiles to computers – mean there are more security risks than ever before. But instead of seeing that as a vulnerability, business leaders can consider the ways a cultural shift can create opportunities.

Karl Hoods, group chief digital and information officer for the Department for Energy Security and Net Zero, says that creating a culture of security will allow an organisation to transform more effectively and creatively. It will facilitate greater digital opportunities because it gives the business a strong foundation on which to grow. “Security isn’t just about delivering a new service or set of services in a discreet and isolated way,” he says. “It has to be in conjunction with digital transformation so that it’s seen as an enabler, rather than a gatekeeper.”

If every employee is empowered to protect themselves and the business’ assets, a culture of security will create a stronger, safer company

Being an enabler is a common goal for those responsible for crafting secure operations. Eric Liebowitz, chief information security officer at Thales, says “enabler mode” is how operations security teams can “focus on how they enable the business quickly.” He adds: “It doesn’t have to be a digital transformation. It could be a specific project that we need to help people navigate.” he adds, “it could be a specific project that we need to help people navigate.”

Building that culture requires employees to be empowered to prioritise security and be held accountable for it. Employees have to understand the ways in which they can build security into whatever they are doing. But they also have to buy into the reasons behind doing so. Leaders need to communicate the value of a secure culture to ensure people don’t feel like security is a chore, but a tool toward improving business resilience.

From an operational perspective, getting employees aligned behind the organisational objectives and empowered to act in secure ways is the key to creating a secure culture from the ground up. But, companies must also see a level of collaboration among leaders to ensure this continuous improvement is prioritised as new technologies are implemented and strategies change.

Not only is this valuable from a cultural perspective, it also ensures that risk is owned by the right person. If a security risk is the responsibility of someone who does not hold the budget to deal with the ramifications of the impact, Erenberg-Andersen says, they are the wrong person to own that risk. He advises leaders to take responsibility for operational risks, thereby prioritising security as a matter of business-critical decision-making. If an attack happens, he says, leaders have to be accountable. “When you have that accountability, then you also have the vested interest in doing it the right way.”

Part of getting business leaders to support this shift is for CISOs and technologists to present security in terms CEOs and board members understand. A secure business also eliminates financial and operational risk. That is something leaders care about.

But another key challenge in getting leadership buy-in is that boards see cybersecurity and operational security as a one-off transformation or cost. “They see it as a discrete activity,” says Liebowitz. “Security isn’t just a technology/ cyber team issue” because attacks can affect critical business operations, disrupting things far outside of the realm of the tech team’s remit. That ripple effect makes security business critical for every team.

Richard Jones, head of information assurance and cyber security at Leidos, agrees: “Everyone wants to keep the business going. There’s a shared goal of resilience. If everyone understands that their job is to keep their business resilient, then everyone can start to play a part in defending from a cyber perspective, reacting from a cyber perspective and then forecasting.”

Getting leaders and employees to understand the critical nature of security to business resilience is the first step. Then, companies must commit to continuous improvement. Security isn’t just something to be invested in, deployed and then forgotten about. It must be continuously present across all business operations and able to adapt to changing needs.

Tulsi Narayan, senior vice-president of cyber and intelligence at Mastercard Europe, advises “constant vigilance” and continuous monitoring leveraging technology rather than periodic monitoring, improvement, and training to help employees consider security as part of their daily work. “You can’t digitalise in a rush. Embedding security in the culture of an organisation is only achieved when you enable people to understand the security need, engage with the results from continuous monitoring, and react effectively based on the results,” she says.

Sanjit Shewale, global head of digital business line at ABB Process Industries, likens it to digital transformation. Over the course of the digitalisation of business over the past decade or two, companies have come to realise that digital transformation is not achievable in a single project or investment. It requires constant adaptation. Security requires the same thing. “It is not a start and end programme, it’s continuous,” Shewale says, advising leaders to act collaboratively and build in security education so that employees are aware of the risks they can help mitigate. “I really think that collaboration from the leadership level down permeates throughout the organisation. Prioritising it is something you can no longer afford not to do.”

If security is not seen as something that prevents innovation and change, but rather, facilitates it safely, it can help companies solve problems. They can digitalise and evolve while building a stronger, more cohesive culture. “Technologists need to understand the core of how businesses operate and make money and profit. But the business needs to understand how tech is enabling that because they are inextricably How can companies create a culture of security? intertwined now; you can’t separate them,” says Erenberg-Andersen.

Leaders sometimes see digital transformation as the diametric opposite of operational security. But, with a commitment to empowering employees and building a culture of security in which continuous improvement results in business resilience, companies can embrace all the opportunities and freedom digitalisation offers with limited amounts of risk.

Every single device a company uses is a potential risk point. But, just like locking the office door, if every employee is empowered to protect themselves and the business’ assets, a culture of security will create a stronger, safer company.

How can companies create a culture of security?

At a recent roundtable, technology, cybersecurity and IT leaders discussed the value of embedding security in an organisation. They asserted the importance of operational security in protecting a business and its assets

Robert Erenberg-Andersen, Principal cybersecurity lead at Red Hat

“In order for organisations to effectively enable a culture of security, they have to create a culture of safety and a culture of empathetic collaboration. We need to be prioritising each other’s activities and not just our own, and seeking out areas by which we can apply our own expertise and specialisations to further the work of others in order to achieve a common mission.”

Eric Liebowitz, Chief information security officer, Americas at Thales

“Security is everyone’s responsibility, not just tech teams’. A lot of companies will have tens of thousands of employees, thousands of servers, hundreds of applications; we have to protect them and get it right every time. The bad guys only have to get it right once. And so with small security teams, I think the thing we can do is empower our employees to understand security and take a role in protecting our assets and making sure that they do the right things to protect our systems and data so that we’re all part of the solution.”

Karl Hoods, Group chief digital and information officer at Department for Energy Security and Net Zero

“To create that culture, we’ve got to stop seeing security as a discrete activity. It is a part of everything that we should be doing. That flows all the way through from investment through to board level accountability, and day-to-day working. It’s a two-way street where we have to kind of collaborate and work very closely with all business areas, and they need to understand what we’re doing is trying to enable them to succeed in their outcomes.”

Tulsi Naryan, Senior vice-president, cyber and intelligence solutions, Europe at Mastercard

“First, we need to shift to security by ideation and then design. I think we have to incorporate it into every aspect of the digital journey and it’s not a one shot, it has to be a continuous affair to be relooked at and made sure that processes products go to market through, are fully safe and secure.”

Richard Jones, Head of information assurance and cyber security at Leidos

“Encouraging the ability to make a contribution for the benefit of the organisation you’re in and potentially supporting the organisations that you’re collaborating with as well, is going to be a vital part of good corporate behaviour or organisational behaviour going forward. Activity that promotes effectively looking after the community you’re in, when it comes to cybersecurity, I think is going to be a pivotal change in the way companies behave with each other and the organisations that work with each other.”

Sanjit Shewale, Global head of digital business line at ABB Process Industries

“To create this culture of security, I think it’s vital that there’s open communication and collaboration among the organisation. Not only internally, but across different sectors; different organisations need to come together. Providing information on cybersecurity, its benefits, and its necessity for reaping the rewards of digitalisation is crucial. That comes down to education as well. You cannot forfeit safety in order to achieve that. Instilling this education, instilling the mindset going forward, is going to be critical. That’s how we’re going to be able to create that culture of security.”

Expand Close

For more information please visit Red Hat

TechnologyCybersecurityDigitalSponsored

Building a culture of security is everyone’s responsibility

How can companies create a culture of security?

Read this next

Want to read on?

Subscribe to our Daily Newsletter