Building a culture of security is everyone’s responsibility

How can companies become more resilient by embedding risk management and security throughout the operational culture?

Redhat Header

Before the digitisation of the workplace, security was more straightforward. The doors were locked at the end of the night. The workplace was secure. Now, every single device is a virtual door into a company’s operations. Every device is a portal for security vulnerabilities to be exposed. 

In the same way that employees are expected to lock the doors to the office, operational security is everyone’s responsibility. To ensure that is embraced across the organisation, companies need to create a culture of security, empowering every single employee to protect the business and its assets. 

“There’s this increasing desire to do digital transformation and modernise ways of working. That’s great. But there’s this paradigm shift that needs to occur. There’s a dichotomy between the need to digitally transform and also be secure in doing that,” says Red Hat’s principal cybersecurity lead Robert Erenberg-Andersen. He advises companies to prioritise both digital transformation and the embedding of a secure culture at the same time to ensure digital transformation is carried out safely and responsibly. 

At a recent roundtable, experts shared their opinions on and experiences with operational security. They found that often security is seen as the natural opposite to digital transformation. It has also traditionally been the purview of the CISO or CIO alone. But a single person or team is not enough to build a secure business. The realities of the modern workplace also reflect that. Remote workers, nondesk- based workers and the proliferation of devices – from printers to tablets to mobiles to computers – mean there are more security risks than ever before. But instead of seeing that as a vulnerability, business leaders can consider the ways a cultural shift can create opportunities. 

Karl Hoods, group chief digital and information officer for the Department for Energy Security and Net Zero, says that creating a culture of security will allow an organisation to transform more effectively and creatively. It will facilitate greater digital opportunities because it gives the business a strong foundation on which to grow. “Security isn’t just about delivering a new service or set of services in a discreet and isolated way,” he says. “It has to be in conjunction with digital transformation so that it’s seen as an enabler, rather than a gatekeeper.” 

If every employee is empowered to protect themselves and the business’ assets, a culture of security will create a stronger, safer company

Being an enabler is a common goal for those responsible for crafting secure operations. Eric Liebowitz, chief information security officer at Thales, says “enabler mode” is how operations security teams can “focus on how they enable the business quickly.” He adds: “It doesn’t have to be a digital transformation. It could be a specific project that we need to help people navigate.” he adds, “it could be a specific project that we need to help people navigate.” 

Building that culture requires employees to be empowered to prioritise security and be held accountable for it. Employees have to understand the ways in which they can build security into whatever they are doing. But they also have to buy into the reasons behind doing so. Leaders need to communicate the value of a secure culture to ensure people don’t feel like security is a chore, but a tool toward improving business resilience. 

From an operational perspective, getting employees aligned behind the organisational objectives and empowered to act in secure ways is the key to creating a secure culture from the ground up. But, companies must also see a level of collaboration among leaders to ensure this continuous improvement is prioritised as new technologies are implemented and strategies change. 

Not only is this valuable from a cultural perspective, it also ensures that risk is owned by the right person. If a security risk is the responsibility of someone who does not hold the budget to deal with the ramifications of the impact, Erenberg-Andersen says, they are the wrong person to own that risk. He advises leaders to take responsibility for operational risks, thereby prioritising security as a matter of business-critical decision-making. If an attack happens, he says, leaders have to be accountable. “When you have that accountability, then you also have the vested interest in doing it the right way.” 

Part of getting business leaders to support this shift is for CISOs and technologists to present security in terms CEOs and board members understand. A secure business also eliminates financial and operational risk. That is something leaders care about. 

But another key challenge in getting leadership buy-in is that boards see cybersecurity and operational security as a one-off transformation or cost. “They see it as a discrete activity,” says Liebowitz. “Security isn’t just a technology/ cyber team issue” because attacks can affect critical business operations, disrupting things far outside of the realm of the tech team’s remit. That ripple effect makes security business critical for every team. 

Richard Jones, head of information assurance and cyber security at Leidos, agrees: “Everyone wants to keep the business going. There’s a shared goal of resilience. If everyone understands that their job is to keep their business resilient, then everyone can start to play a part in defending from a cyber perspective, reacting from a cyber perspective and then forecasting.” 

Getting leaders and employees to understand the critical nature of security to business resilience is the first step. Then, companies must commit to continuous improvement. Security isn’t just something to be invested in, deployed and then forgotten about. It must be continuously present across all business operations and able to adapt to changing needs. 

Tulsi Narayan, senior vice-president of cyber and intelligence at Mastercard Europe, advises “constant vigilance” and continuous monitoring leveraging technology rather than periodic monitoring, improvement, and training to help employees consider security as part of their daily work. “You can’t digitalise in a rush. Embedding security in the culture of an organisation is only achieved when you enable people to understand the security need, engage with the results from continuous monitoring, and react effectively based on the results,” she says. 

Sanjit Shewale, global head of digital business line at ABB Process Industries, likens it to digital transformation. Over the course of the digitalisation of business over the past decade or two, companies have come to realise that digital transformation is not achievable in a single project or investment. It requires constant adaptation. Security requires the same thing. “It is not a start and end programme, it’s continuous,” Shewale says, advising leaders to act collaboratively and build in security education so that employees are aware of the risks they can help mitigate. “I really think that collaboration from the leadership level down permeates throughout the organisation. Prioritising it is something you can no longer afford not to do.” 

If security is not seen as something that prevents innovation and change, but rather, facilitates it safely, it can help companies solve problems. They can digitalise and evolve while building a stronger, more cohesive culture. “Technologists need to understand the core of how businesses operate and make money and profit. But the business needs to understand how tech is enabling that because they are inextricably How can companies create a culture of security? intertwined now; you can’t separate them,” says Erenberg-Andersen. 

Leaders sometimes see digital transformation as the diametric opposite of operational security. But, with a commitment to empowering employees and building a culture of security in which continuous improvement results in business resilience, companies can embrace all the opportunities and freedom digitalisation offers with limited amounts of risk. 

Every single device a company uses is a potential risk point. But, just like locking the office door, if every employee is empowered to protect themselves and the business’ assets, a culture of security will create a stronger, safer company.

How can companies create a culture of security?

At a recent roundtable, technology, cybersecurity and IT leaders discussed the value of embedding security in an organisation. They asserted the importance of operational security in protecting a business and its assets

Expand Close

For more information please visit Red Hat