How CISOs Can Reframe The Conversation Around Security: 4 Steps

Security professionals often complain that people are the weak link in the data security system. But in reality, they could be your biggest asset and ally.

Jon Allen, Assistant VP & CISO, Baylor University

December 8, 2015

4 Min Read
Dark Reading logo in a gray background | Dark Reading

When I joined Baylor University in 1995, the job I have now did not exist. In 2003, I took on the role as coordinator of IT security at the university, but it wasn’t until a few years later that the Chief Information Security Officer (CISO) role formalized into what it is today – a high visibility position that touches every aspect of the organization.

Today, 44 percent of organizations employ a CISO and full-fledged information security team, which has increasingly become a necessity in protecting against data breaches. Cyberattacks are more persistent and sophisticated, and as a result, CISOs are rethinking the most fundamental aspects of IT strategy and infrastructure. This new security paradigm is no longer just about using technology to protect against the next data breach; it lives at the intersection of technology and people.

Corporate data has shifted from behind corporate firewalls and servers; data now lives on the edge of the network on user devices, where it is more vulnerable to threats. With this shift comes new CISO challenges and. To be effective, IT and security teams need visibility into where information is stored, what type of information is on devices, and the ability to apply appropriate data controls. In today’s BYOD world, what matters is how and where employees are taking the data. And it is not about implementing more and more security protocol, it is about educating employees on the responsible choices they can make to avoid data loss and mitigate risk. We’re all in this together.

With a centralized security approach where operations are unified rather than siloed, teams can integrate security into every aspect of their organization and be proactive and strategic together. As technology changes, it is vital to get the entire organization on board. Here are four steps to help you focus on the people in your security strategy:

1. Drive home the personal benefits of security
Employees often have trouble understanding the importance of a security policy; they do not want to be inconvenienced unless they see a true benefit. To ensure the value of security resonates within the workforce, make it personal by informing people how a data breach would impact them personally. For example, students at Baylor might be more concerned about data protection and security policies if they knew  the schoolwork in their laptop— including book-length theses — was protected from theft, hard drive crashes or attacks on the network. 

2. Teach users the value of security
It is easy to tell employees to sign a security policy, back up their data, and be wary of potential scams or breaches but simply telling them what to do doesn’t teach anything about the benefits or risks. When people understand the “why behind the what” and the value of a security strategy, they’ll be more invested in it. Sharing examples of how security threats have impacted organizations is a great way to demonstrate the potential consequences of their behavior. If someone opens a phishing email with a hyperlink infected with malware, that attack could threaten an organization’s entire network.

3. Create security policies that are easy to enforce
Having structure and processes around security is key to gaining buy-in. . It is not enought to deploy the latest and greatest advanced threat detection and anti-malware software. You must also introduce basic steps that will hedge against human error. Data loss by malware, hardware failure or accident is the one of the most common and preventable threats. By continuously backing up your organization’s data, data availability can be integrated into your organization’s infrastructure and processes. Another example of baking security into the organization is Baylor’s approach to software acquisition. Faculty and staff must submit forms for software approval through the information security team. This allows risk analysis to take place before software is purchased for the campus environment. Failure to follow the process results in delays or cancellation by the purchasing team.

4. Leverage relationships with key stakeholders
CISOs are responsible for advising and consulting key stakeholders within their organizations to help them understand their respective roles and responsibilities within security. As part of this give and take,  the CISO needs to quantify the risk and explain how it applies to their respective domain. As with general employees, department managers will take more ownership when they see understand how security maps to compliance requirements.

CISOs should also show employees how security extends beyond endpoints, networks and datacenters. Any technology that is connected via an IP address today can expose an entire network. At Baylor we recently built a new stadium with the audio system, elevators and fire alarms all connected and dependent on the network. With all of those connected devices, significant planning helped to ensure that proper security measures were in place to protect the school.

The conversation around information security has been reframed. It is no longer strictly about the technical aspects; now, it is about engagement and relationship building. CISOs must learn a new set of skills to incorporate everyone in the security strategy – not just their security team. Security professionals often complain that people are the weak link in the data security system, but, in reality, they could be your biggest asset and ally.  

About the Author

Jon Allen

Assistant VP & CISO, Baylor University

Jon Allen is the assistant vice president and Chief Information Security Officer at Baylor University where he has built the information security group from a one-person shop to an integrated organization. Jon has more than ten years of experience in information and network security and is a member of the Educause Effective Practices committee, and the SANS EDU advisory council. He has presented at RSA, Educause, Treasury Institute PCI workshop, SEAT and IANS on topics ranging from PCI compliance to InfoSec in the age of Cloud and Agile IT.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights