Regular, small doses of security education help combat the “forgetting curve,” a theory developed by Hermann Ebbinghaus that suggests people forget 75% of newly learned information within a couple of days. These statistics underscore a critical truth: the way people interact with and buy into the company’s security program has a massive impact on the organization’s vulnerability to breaches. Security is more than just a department tasked with preventing breaches and outages; it’s a core business function, as integral to an organization’s success as finance, revenue generation, or product development. Copyright © 2024 Information Security Buzz is brand owned by Bora Design SL a company registered in Spain with company number B42720136 whose registered office is in Alicante, Spain. Ultimately, security is a shared endeavor, and by building a culture of trust and positive reinforcement, you not only protect your business but also empower your team to protect themselves—both inside and outside the workplace. One of the biggest hurdles security teams face is their reputation as the “Department of No.” Interactions with the security department can often be negative: mandatory training, investigations, or requests denied due to potential risks. Most people don’t have a security expert on speed dial in their personal lives, so the awareness education they receive at work may be the only training they get. In larger organizations, the role of advocating for security often falls to executives like the Chief Information Security Officer (CISO) or Chief Information Officer (CIO). Instead, it involves making a conscious effort to explain the “why” behind security policies, seeking feedback on roadblocks, and showcasing wins as part of the normal business cadence. Teach teammates about current attack trends, and they should watch out for good security hygiene that applies not only to work devices but also to personal activities like social media usage. Shifting the perception of security from one of avoidance to one of reinforcement, safety, and reliable guidance can have a profound impact on an organization’s overall security posture. Treat this as an opportunity: instead of relying on click-through training modules to meet minimum insurance or compliance requirements, use security training as an opportunity to empower everyone with knowledge that benefits them both professionally and personally. This helps keep them safe from threats in their daily lives while also reinforcing organizational security by making them less susceptible to social engineering attacks. The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz. It might seem like self-promotion, but documenting the security team’s achievements—such as threats prevented, processes improved, and successful projects—goes a long way in keeping the value of security at the top of leadership’s mind. However, without intentional efforts to communicate successes and provide opportunities for positive interactions, the security team’s efforts go largely unnoticed—until something goes wrong. When people view security as a collaborative function rather than a reactive or punitive one, they are more likely to engage meaningfully with security initiatives. The impact of a security breach is often seen in the form of plummeting stock prices, loss of customer confidence, and a damaged brand image. Verizon Business’ 2024 Data Breach Investigation Report revealed that 68% of breaches included a non-malicious human element, such as people falling for phishing schemes, mishandling sensitive information, or getting duped by a social engineering attempt. Rewarding positive behaviors, like quickly reporting phishing attempts, can also help improve your security posture. Recognizing teammates for their contributions to security can encourage them to engage with the security team more proactively rather than reacting out of fear and avoidance. To put it simply, security is a critical factor in how a business is perceived, both by its customers and its own team. In reality, the security team works tirelessly behind the scenes to keep the organization safe. These leaders can champion the value, progress and needs of the security program at the top, ensuring that other executives and stakeholders are in the loop. Additionally, consider incorporating security tips into regular team meetings or all-hands updates. This collective effort helps create a stronger, safer organization where security is everyone’s responsibility. The ripple effects of a well-managed security program (or a poorly managed one) extend far beyond the IT department. It’s essential to shift the narrative around security so that it’s not just viewed as a quarterly budget line item or a source of bad news. This process fosters a perception of security as a roadblock to productivity. The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. The key is to choose the right metrics that align with your security goals.
This Cyber News was published on informationsecuritybuzz.com. Publication date: Fri, 04 Oct 2024 05:43:05 +0000