Of all the steps IT departments must take to keep their organizations secure, the most important may be to get users and management on board. But here are three common mistakes that prevent IT from promoting a security-conscious culture.
None of IT’s security controls will make a difference if the business’s culture doesn’t value security, says John Pironti, President of IP Architects, LLC, who spoke at the recent Interop conference in Las Vegas.
IT security teams never get as much funding as they should, so IT has to leverage what they do have and get people to work for security. That’s tough, but not impossible, says Pironti. For example, a 2007 breach of TJX Companies, Inc., one of the largest data breaches of all time, was discovered by a group of cashiers, rather than security professionals.
So what can IT departments do to create a culture where security is on people’s minds, rather than viewed as a hindrance to operations?
That’s obviously a big undertaking that takes a lot of time, but here are a few key mistakes to avoid, according to Pironti:
1. Assuming you know the business’s priorities and needs
A discussion about security shouldn’t start with IT telling the CFO or other executive what must be done to prevent unacceptable security incidents — it should start with IT asking what is considered an acceptable risk. For example, it’s important for IT to understand what kind of losses from a data breach the organization is willing to accept.
Once that is known, the IT department can explain what types of threats the business must protect itself against and what tools and processes are needed to do that.
2. Using negative reinforcement
It’s often said that an organization’s biggest security threat is its employees. While there may be some truth to that, Pironti says, if IT departments tell users they’re the problem, it will be impossible to get them on board with security programs.
Instead of chastising users for mistakes, Pironti recommends giving them information to help them make better security decisions. One way to do that is to offer training that gives them tips on keeping their personal information secure — for example, how to use social networking securely, how to protect their children online, or how to safeguard their personal financial data. That will encourage people to think about security at home and at work and hopefully get them to learn more about IT security.
3. Focusing on technology, rather than objectives
While there are a lot of security tools available that can help businesses protect their data, Pironti says, businesses too often decide what tools they want to buy before figuring out what they need to do.
Security policies and objectives should be in place first. Only after that’s done should IT start deciding how to implement those policies and meet those objectives.