Security function needs to change its course. Instead of focusing on security outcomes, it should become a business partner that advises on risks. Acting as a guardian does not serve the company either and it is too easy to leave security to the security department. But how to help people become aware of the risks and change their behavior? The answer to this dilemma is security culture, says Thom Langford, CISO, Publicis Groupe.
Culture eats strategy for breakfast as a famous citation suggests. When it comes to security, it is true. Careless, uninformed, or disgruntled employees are a common threat. However, you can´t solve the problem by offering more and more detailed instructions and bans. Quite contrary, by doing so, the security department will be the last one to be informed about the mistakes and actualized risks.
“To create security as a competitive advantage, start by being easy to reach and generous with information. Extend your advice to everybody’s digital lives. If people become aware of the security issues on the road or at home they are more willing to accept the security advice in the work place,” Thom Langford states.
People see security risks as a definitive issue, as something that needs to be reduced or removed. Actually most of the situations are not that straightforward, what is acceptable one week, is not acceptable the next.
“You have to have a security strategy, there is no doubt about that, because you have to understand the business environment you are operating in. But strategy is going to change from time to time, while the culture is something that’s going to be around for a long time. Batman has a strategy but Joker has a culture, that is why he keeps coming back.”
Often people are not aware of the risks. Nobody leaves their home front door open, but many leave their computer unlocked when they go to lunch. To create a security culture, one needs to ensure that people within your business are fully aware of what security means.
“Stop treating users as idiots. Being open and allowing people to come to you with their mistakes, means that they’ll be more willing to learn from those mistakes. It is extremely important to engage people and increase their self-awareness.”
Supporting the business means that the security department should know their place and co-operate with the business. The focus should be on the business outcome and comparing potential risks to it.
“If you do it vice versa and focus on security outcome alone, you will end up saying no all the time. In our company, we rely on openness and communication. We are also using some of our own marketing techniques, use our own social media platforms, for example. We want to create the feeling that we are all on the same side trying to achieve the business goals and get everybody their bonuses at the end of the year.”
Thom Langford, CISO at Publicis Groupe, was a speaker at the 600Minutes Information and Cyber Security in Finland on the 19th of May 2016. He will be speaking at the Internet of Things, Sweden, event on the 7th of December 2016. For all our upcoming events, visit the Event Calendar»
Get the Latest News
Events on This Topic
The most efficient working day. Insights and ideas from the stage and from a network of executives. The best solutions for your business challenges.
Meet executives with investment needs. Bring your solutions and insights to your most potential clients. 11 markets, 20 000 executives, guaranteed meetings.
Management Events brings together top-level executives and solution providers, providing high value to both parties. Our concept attracts 20 000 visionary leaders to our events in eleven countries, over 170 times a year. Management Events Surveys provides insights and trends for solution providers and executives, helping them gain deeper understanding of challenges and needs of the largest corporations.
Sorry but your browser screen is too small for this site.