Cybercrime today is an ever-present concern for companies across the UK and further afield. While businesses are focusing on trying to prevent attacks, there’s also an understanding that breaches are inevitable. It’s just about when a data breach will happen rather than if a company will fall victim to one. The main line of defence organisations have is their internal security team, led by a Chief Security Information Officer (CISO).
Traditionally, CISOs spearhead internal and external information protection efforts. The current cyber risk environment is expanding their role. It is no longer about creating a security plan and relying on those with technical know-how to execute it. It now includes building a culture of security transparency, and accountability.
To communicate risks and complex security concepts to all employees, even those in the C-suite and the boardroom, CISOs must build a foundation in the boardroom first. From there, it will reach all other levels of the company.
One way to look at it is that CISOs have a toolbox of priorities, best practices and insights they pull from. But, to successfully guard against increasingly complex and pervasive threats, CISOs are recognising the increasing need to adjust the contents of their toolboxes to include tools that a wider variety of people understand and know how to use.
If everyone involved in a new product lifecycle, from engineers to the sales team, looks for and addresses potential risks earlier on, they can ensure built-in security measures are second nature, which reduces any delay in time to market.
A culture-oriented approach to measuring success
Security roles have traditionally been viewed as highly technical and culture-agnostic. Today’s savvy CISO recognises that soft skills are just as important. The best CISOs understand the language of both the business and technical worlds. However, they must also be able to influence people to create a healthy security culture in each team. CISOs now need to come across as a colleague or partner rather than being seen as the company’s police officer.
It means that CISOs must have strong people skills and the ability to build relationships across different teams and departments. Modern CISOs are evolving to prioritise the development of soft skills and culture-building initiatives. For example, employee engagement and observability, to ensure that the security practices they know are best for the company are truly implemented.
Security roles are typically highly technical and not traditionally considered major culture drivers. To counter that, top CISOs are now building a culture of transparency and accountability. It allows people at every level can understand their assets and associated risks. One of the most effective ways to cement security into an organisation’s culture is to make people want to adopt security measures instead of feeling as though they are being forced to.
What should the CISO toolbox contain?
To make security a foundational part of any businesses culture means the CISO toolbox needs to include:
- Security-motivated employees: Basing security programs on excitement and employee engagement rather than mandates.
- Diverse skill sets: Driving diversity forward via complementary skill sets.
- Transparency around risks: Advocating for visibility and observability so employees understand what assets are at risk and how to proactively protect them.
- Encouraging ownership: Every team needs to own their security. Security teams provide guardrails and tools, but they should act as auditors and educators while teams implement security best practices.
- Mentorship: Sharing actionable advice based on personal experiences helps people see security as a business enabler rather than a barrier.
Cloud environments change in the blink of an eye. Every day, there is the potential for new applications or services to be deployed. These come in all shapes, sizes and architectures, requiring continuous runtime security. It makes the current threat landscape make-or-break for businesses globally.
Take one glance at the news each day, and you’ll see cyber criminals are becoming emboldened – and succeeding more than ever. As organisations continue to work hard to guarantee that they are keeping their security posture ahead of an ever-evolving threat landscape and skilled would-be cybercriminals, management needs to ensure their security program is inclusive of everyone.
By leaning on skills not found in a textbook, intertwining company culture with security knowledge and requiring safe practices to be a top consideration rather than an add-on, the modern CISO is one equipped with the soft skills and tools needed to bring the whole company willingly into the security fold.
Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data — without requiring manually written rules — across an organization’s AWS, Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud.
