4 tips on how to build a security-first culture and get buy-in across teams

Much to the chagrin of security professionals, cybersecurity best practices are often seen as a nuisance by employees outside of the security and IT teams. The consensus is that security slows down processes, and limits autonomy and training is one more thing to check off the list.

But employees are ultimately your biggest vulnerability, so in order to move the needle and actually improve your security posture, you need participation from all teams. IT needs to patch software, employees must avoid clicking on phishing emails and anyone using internet-based applications, cloud-based software or even email needs to understand how to protect confidential information and engage in safe practices. This is not isolated to certain departments or individuals but something that needs to be a company-wide initiative.

So how do you get buy-in on your security efforts? During a recent Right-Hand Security, The Front Lines event, SolCyber Chief Technology Officer David Emerson interviewed cybersecurity expert and friend of SolCyber Scot Hutton on how cyber leaders can more effectively communicate with boards and others in an organization about security. You can watch the full interview on YouTube, but we’ve pulled out a few tips below that specifically speak to how to get buy-in from the rest of your organization.

Here are four tips that will help in building a culture that values security.

1. Involve team leads in creating security KPIs

Security involves every aspect of the business and hitting KPIs relies on the security team’s ability to change people’s habits and behaviors. So it’s helpful to loop in others outside of your department to create realistic security KPIs.

In his talk, Scot notes that general counsel tends to understand and communicate risk well, as do HR professionals. In addition to bouncing ideas off your security peers both in and outside of your organization, he recommends tapping into these two groups for advice on KPIs.

“I typically come up with metrics, run them past colleagues, then start measuring them for a few months,” advises Scot. “I then present them to the CTO, CIO and CFO to get feedback. From there, I share with regions and department heads to ask for their input as well.”

Not only will this process help you set achievable KPIs, but by getting department heads involved early on, they’ll take ownership over the project and encourage their team’s participation. When people are working towards goals they helped set, they’re more likely to be invested in the outcome.

2. Encourage participation with gamification

Any good security strategy will include training and testing employees on how well they’re adopting security best practices and how well they’re resisting phishing emails. To get people excited about security training — rather than dreading it — tap into their competitive spirit.

Create a leaderboard for how teams perform on tests and who has completed their security training. Publish the leaderboard weekly (or monthly, depending on your goals), so people are incentivized to perform better than other teams or regions.

By gamifying security, you’ll get everyone involved, excited and motivated to perform better. It will make reaching your KPIs easier and will likely create a number of security ambassadors that encourage their teammates to complete training modules and integrate best practices into their work.  

3. Focus on the positive

Many security professionals feel like they’re constantly saying no or creating roadblocks for employees. But you can put the appropriate safety precautions in place, and ensure people feel good about them, by framing security in a positive light.

When communicating risks, do it in a way that removes any blame from the person you’re talking to. Show up with solutions rather than problems and work with your colleagues to find safe tools and processes that work for them — and keep the company safe. Security should approach the tech, product and marketing teams saying, “That sounds like a great tool. Can I help with the security side of that?” rather than shutting down the idea of using a risky tool. The conversation should be a two-way street, and security should be seen as a resource for employees — not the ultimate enforcer of rules.

If an employee fails a security test, they should be re-enrolled in training. But it’s important to do that in a way that focuses on how the employee can find success in the future. No one wants to be spoken to like a child that made a stupid mistake and training shouldn’t feel like a punishment. Keep your language positive and focused on the future.

Even when reporting on security KPIs, there should be a balance between wins and areas for improvement. Rather than simply noting the number of people who fell victim to phishing scams or failed a security test, also call out how many people reported the scam or passed their training. Employees will feel better, and this approach provides a more accurate picture of how the company is performing when it comes to risk.

4. Proactive and constant, informative communication

As a security professional, your work is never done. Beyond training and testing, you need to provide consistent, informative updates in eblasts, presentations at team meetings and in conversations with team leads. Make sure you’re having regular conversations with the people who can drive and influence change, especially when you’re trying to influence a behavior. Help those people understand where their teams are, where they tend to experience challenges, how they can improve in the future and why it’s important.

Before updating your leaderboard, be sure to reach out to the people in the bottom 50 percent — or bottom quarter depending on how large your organization is — to give them the heads up and make sure they don’t feel blindsided. Offer your assistance in a way that allows them to take ownership over their team’s performance, so they’re still invested in a win.  

Finally, employees can’t avoid risks they don’t know about, so make sure they understand how various security tools work. For instance, many companies are using third-party applications to manage security or governance, but they don’t realize that the tools they’ve invested in only protect hardware and not software. It’s your job to have detailed conversations with teams and vendors to understand what’s really covered and what’s not. Then educate your people on where their responsibility begins.  

Security teams don’t need to have adversarial relationships with the rest of the organization. By focusing on the positive, coming in with solutions and getting people excited about security, you’ll get buy-in from the rest of your organization and have an easier time reaching your KPIs. 

For more tips on how to communicate security strategy with your board and broader organization, watch the full Front Lines session.