make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Questions for the Boardroom: Is the Company Fostering a Culture of Compliance and Security?

12/06/2018  |  By: Mark Johnson, CISSP, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

Here’s a fact: Employees at every organization create, handle, and manipulate sensitive data daily. It’s their job. And, that means employees are the first line of defense for protecting your organization’s sensitive data.

The problem is that, at many companies, cybersecurity training isn’t a learning opportunity, but rather something to be checked off a box (and largely forgotten). Add to that the fact that, after working with sensitive data for a significant period of time, many employees fall into one of two camps:

1. They become numb.

These employees handle sensitive data so often that they forget it’s even sensitive. They might be careless, unaware, or distracted. But, the fact is—mentally, they treat sensitive data like the results of last night’s football game. It’s trivial.

2. They become overly sensitive.

These employees go the exact opposite direction of numb. They feel the weight of the data they handle—all of it. That means they might classify patently insensitive data as “sensitive” or might go to unnecessary lengths to protect unimportant data.

So, what can you do as a Board of Directors? How can you help management and the employees discern sensitive data and handle it correctly? There’s one simple question: Have we implemented proper security awareness training

That means making sure the cybersecurity awareness program is tailored to the individual functions inside the company. Many organizations provide the same training to all employees—even though employees in different departments handle widely different data.

While a baseline security awareness training program is helpful for all employees, companies should also provide additional training to each employee based on their specific job function. 

For example:

An entry-level employee at a healthcare company may handle mildly-sensitive data for a set number of clients or patients.

Contrast that with a senior level cybersecurity team member who has insight into the company’s entire spectrum of sensitive data. 

Because of this, both employees should have a baseline level of security awareness training, but the cybersecurity team member should undergo more intensive training as well. And, the entry-level employee should have training relevant to the data he or she handles regularly, too.

Beyond that, if you want to develop a culture of compliance and security, you’ll have to change the way your organization views mistakes. Cybersecurity mistakes can’t ALWAYS be viewed as punishable offenses or unforgiveable blunders. If employees believe they’ll be punished every time they make a mistake, they will hide those mistakes as well as their lack of knowledge about anything cybersecurity-related out of fear they’ll get in trouble.

Instead, view the majority of mistakes as teaching opportunities. An information security gaffe is an opportunity to re-explain the employee’s responsibilities and teach exactly how the problem can be avoided in the future. Obviously, there should be consequences if an employee continually fails to fulfill his or her responsibilities, but you already knew that.

A culture of compliance and security starts with the tone-at-the-top. As a Board, it’s up to you to showcase to your company that cybersecurity is…

  • Important, not just at a general level, but at a specific level for each role.
  • A continuous learning experience for everyone involved. It’s okay to admit a mistake or lack of knowledge in efforts to improve.

Whether your company needs help developing the appropriate culture around information security, or if you’re content with your company’s culture and want to see how you’re performing, LBMC Information Security can help. Just click here to contact us and learn more.

This blog is the fifth in a series titled, “Cybersecurity in the Boardroom.” The purpose of this series is to shift boardroom conversations and considerations about cybersecurity so board members, company management, and information security personnel can work together to implement a more effective cybersecurity program.