Creating a Culture of Information Security During National Cyber Security Awareness Month

I’ve often said to security teams I’ve led over the years, “You never want to waste a crisis,” and today’s headlines are filled with one security crisis after another. A couple of the largest retailers in the U.S. and a money-center bank are the latest to make news by losing customer data to cybercriminals, while this summer’s theft of celebrity “selfies” has made data security top-of-mind for even the most casual users. And just last week I was posting here about our investigation into the “Shellshock” – Bash Bug Vulnerability Alert.

Overhead photo of a crowd of people crossing a street

As we enter National Cyber Security Awareness Month, these events are useful tools to raise peoples’ awareness about threats and vulnerabilities that can jeopardize the information they work with every day. Countless studies have shown that data breaches aren’t typically caused by failures of security hardware or software, but by the humans, or the “wetware” that operates most information systems (the human brain being composed of about 75% water). In other words, even as next-generation firewalls and anti-virus/malware software grow more sophisticated and efficient, they are only as effective as the people who use them (or don’t).

The rising incidents of high-profile, damaging breaches should serve as a wake-up call that information security must be a shared responsibility across the enterprise. Organizations need to break through the long-held belief that security is something others (the guns, gates, guards, or geeks) are charged with advancing. Employees, business partners and anyone else with access to sensitive data can no longer think of security as a distasteful cost of doing business. It’s now an indispensable aspect of advancing business prosperity and growth. Just as information technology has reached into the far corners of virtually every enterprise, so too must data security, fostering a culture of business assurance.

Intelligent Risk Taking

This isn’t to say that employees should cower in their cubicles in fear of cybercriminals and the vulnerabilities they could inadvertently expose. Advancing business in the global marketplace today is about intelligent risk taking. Enterprising employees will always feel pressure to get things done, to expedite their efforts, to demonstrate business agility, creating temptation to potentially cut corners on security processes and protocols. But establishing a culture of security helps ensure that expedience is practiced intelligently, and only in light of the latest and best threat data available. Employees need to know how poised an adversary is to strike and what, if any, vulnerabilities or exposure might come as a result.

The key to establishing such a culture is good, clear communication. Not just raising the specter of mere possibilities or “boogiemen” who you think you’re facing, but the actual documented prowess and the nature of the threat. (See BusinessWeek’s Missed Alarms and 40 Million Stolen Credit Card Numbers.) My experience is that when you speak candidly and share real data—not just remote possibilities or probabilities but real threat data and actualities—people will take it seriously, and their hearts and minds come along quickly. It’s when they don’t believe the threat is real that they’ll cut a corner here or there. Give them clearly articulated, real threat data, and they buy in.

Both the Carrot and Stick

Aristotle said something to the effect that, “He is only virtuous who acts outside of fear of punishment or desire for reward.” Though we believe that humans are evolving, the virtuous employee, in an Aristotelian sense, is not the norm. Humans still learn consequential thinking at an early age, and organizations have both carrots and sticks at their disposal to help establish the necessary culture of information security. Profit sharing, bonuses and other standard measures of business performance clearly serve as a carrot to reward employees. They help communicate that it’s in their mutual best interest to assure that the information assets that generate revenue—and the profits they share in—are properly protected. Profit sharing and performance bonuses can be a powerful specter that induces people to refocus their energies and make sure that on a daily basis they’re executing in the smartest way possible.

Conversely, organizations need a repertoire of sticks to emphasize the criticality of information security. If you wantonly choose to disregard critical security protocols that have been shared, and you refuse to engage in processes that are designed for the collective wellbeing, there must be consequences. And when those consequences are made clear and applied, most human beings are smart enough to take note and will benefit. It’s got to be a combination of both carrots and sticks, until human nature changes.

And whether using a carrot or a stick, leadership should find a way to make it personal. Everyone needs to take individual responsibility and have a personal stake in security and compliance. Doing so can help create an army of foot soldiers on the lookout for potential gaps and threats.

Our Interconnected World

Interdependencies between the physical and logical security worlds are growing exponentially. The rigid boundaries of delineated interests are largely gone: where our business lives begin and our private lives end, and vice versa, is no longer clear. The delineations are so porous that a culture truly focused on security has to be one that’s conscious of the openness or connectedness of the world we now live in. That security culture has to be what I call “contextually aware.” It has to embody an understanding of the open nature of our world and be attuned to the way in which unexpected threat vectors might come at us because of that openness.

That’s Dell’s approach to the human side of IT security. You can delve deeper into our vision at and share your own IT security stories using #BetterSecurity4All on Twitter.  For more answers to real-world IT security challenges, join us at Dell World 2014, Nov. 4 – 6, in Austin, TX. There you’ll learn how to defend against wide-ranging threats, enable business with more connected IT security, and safeguard it all, from device to data center to cloud.

About the Author: John McClurg