Information Security: Your People, Your First Line of Defense

By Eddie Borrero, CISO, Robert Half [NYSE:RHI]

Eddie Borrero, CISO, Robert Half [NYSE:RHI]

A company can put together as many technology solutions or policies as it likes, but, in the end, its people are the most important element in information security. If the employees in your organization don’t feel personally invested in improving your organization’s security, your defenses will always be lacking.

"To turn your workforce into a team of information security advocates, you need to make security personal to them"

Firms that inspire in their employees a security mindset and personal sense of responsibility for keeping the business secure are definitely on the right track. According to research by Ponemon Institute, the average total cost of a data breach is more than US $3.6 million, and one in four organizations can expect to experience a breach. Also, cybersecurity breaches are only getting larger in terms of the number of files and accounts—and people—affected.

Your business may need to experiment a bit before discovering the secret recipe for turning your team members into information security advocates, but the effort is well worth it. At Robert Half, we’re taking steps to motivate our global employee base to view information security as a priority. We’re continually looking for new ways to engage our staff, so they want to get involved in helping the business adopt and apply best practices.

To turn your workforce into a team of information security advocates, you need to make security personal to them. This means helping them understand that lax security practices don’t just impact the mat work, they also hit the mat home.

One strategy we use to do this in our organization is our “Data Defenders” program. It gamifies security, and is designed to help employees feel more personally invested in protecting our company and its data and systems. Here are a few things we’ve learned so far from our work on this initiative that you might find useful as you create your own programs:

1. Build your Security Messages into your Culture

Our campaign focuses on educating people using every communication channel in our company—newsletters, posters, intranet sites, town-hall meetings, videos, annual trainings, and more. A multipronged approach to communication helps ensure we reach every employee in the format that speaks personally to them. They need to plainly see that the program you’re promoting isn’t just a mandate from IT or compliance, but a company wide effort supported by business leadership. When professionals observe their leaders and coworkers all striving toward a common goal, they often want to join in. And today, with so much news about data breaches in the spotlight, they can easily see the relevance and value in shoring up security efforts.

2. Forget a ‘One-Size-Fits-All’ Approach

Generic education about security doesn’t work. You need to tailor it, personalize it. That’s why we’re now experimenting with “personas” that represent different types of people in our company. The personas tie back to how people work, and what their roles are. We’ve identified the security risks for each persona—for example, the kinds of phishing an employee in accounting might encounter—and what people who fit those personas can do to help protect the company.

We’re just starting to introduce personas as part of our annual security awareness training. But we think they’re going to go a long way toward helping our employees make a strong connection between security risks and their day-to-day work experience.

3. Create Master Data Defenders

We’re now developing a “master” version of our Data Defenders program where employees volunteer to take formal, specialized training to understand the security gaps and risks in their specific areas of the business. I would help them set goals, and once they achieve them, they would earn the designation of a “Master Data Defender.” The company would recognize their success and provide them with a financial reward.

The whole idea of this master program is to encourage employees who are already passionate about information security to learn even more, and then take that knowledge back to their department. They become our experts “on the ground,” helping other employees become more security-minded.

4. Get Buy-In at the Top

I am convinced that no information security program will succeed unless a company’s leadership also feels passionate about the cause of improving security, and views it as a critical part of business strategy.

The good news is that top leadership, busy as they are, will likely be receptive. That includes the board of directors. The ‘National Association of Corporate Directors’ (NACD) 2016– 2017 Public Company Governance Survey found that almost one-quarter of boards are dissatisfied with the reporting that management provides on cybersecurity. So, there is clearly an opportunity to reach out, and I encourage you to do so sooner than later. You also might want to consider enlisting help from internal audit leadership, given that they already have the ear of senior management and the board.

Information security risks are always changing, so your program must keep changing, too. Most breaches can be prevented if a human does something differently—not clicking on a link, not opening a suspicious attachment, keeping passwords secure, the list goes on. Our job is to equip our employees with relevant knowledge they can use to keep our business secure. Front line defense is ultimately the best offense in keeping your data secure.