teissTalk: Fostering an effective security culture

teissTalk host Thom Langford was joined by Michael Woodson, Director of Information Security and Privacy, Sonesta Hotels; Sergey Tairyan, Chief Information Security Officer, Digitain; Ali Baccouche, Regional Information Security & Data Privacy Officer – EMEA,Texas Instruments, Germany; and Jon France, CISO, ISC2.

 

Views on news

At the RSA Conference Julie Haney talked about how the eight major cybersecurity pitfalls can be overturned. The tips she is giving are quite straightforward, but are, nevertheless, often ignored by security professionals.

 

On the other hand, while users mustn’t be regarded as stupid, they are often ignorant and need to be educated. Also, they have to be aware of the fact that everyone has a part to play in the corporate security culture.

 

Recharacterizing phishing simulations

A cornerstone of a robust security culture is that all users know what they need to do when they see something, as well as the reassurance that they can report whatever they experience without any retributions. It’s also key to provide them with the tools that enable them to do so.

 

Pithy information security messages can be placed anywhere around the office where staff often see them – in the loo or on mugs and screen savers. In order to come up with catchy messages in a creative way, it’s a good idea for info security professionals to team up with the communications department, as they can help synch campaigns launched by various business unit to avoid staff getting fatigued.

 

In the fight against phishing campaigns, it could be very helpful if every employee had someone to turn to – a friend, family or a security team member – when in doubt whether it’s safe to click on a particular link.

 

An idea that information security could borrow from businesses operating in a hazardous environment is signposting transactions that are particularly high value to the organisation to urge users to exercise extra caution.

 

The security mindset of the organisation can be further enhanced by information security and physical security working closely together. It should also be part of the corporate security mindset that no matter how big a brand that manufactured a device is, its security controls can never be taken for granted.

 

The panel’s advice

 

Don’t punish but rely on positive reinforcement.  

 

Third parties in the security sense of the word don’t just include your contractors but also delivery people or even your office’s neighbours. Incorporate them into your security culture too.

 

Make your security training personal to give your staff the impression that this doesn’t just happen to others, but they can also become victims.

 

Use real-world examples of breaches and ask your employees what they would have done.

 

Watch on-demand here.