Building a Security Culture: The Foundation of a Secure Organization

By Doug Fisher, Senior Vice President & Chief Security, Lenovo

State-of-the-art software to monitor your networks, ideally including AI-powered software to identify and repel potential attacks as rapidly as they reach your network, is also critical. And you should insist that only approved devices with up-to-date security software have access to your network. These are all security fundamentals.

Yet the most important element for protecting you from cyberattacks is your people, and not just your security teams. Obviously, you want experienced, talented, and focused people on your security teams, ensuring that all the protections listed above are in place and fully operational. But the truth is, to really be secure you need every single person at your organization – from sales to finance to human resources to the CEO – to know their role in keeping your organization secure. And to do that, you need to build a strong security culture.

The theme of Cybersecurity Awareness Month – “See Yourself in Cyber” – aligns with these two important aspects to strong cybersecurity. 0The first is that all industries need more qualified, talented people to consider cybersecurity as a career. Security threats continue to grow in both volume and severity, and the world needs to focus on and invest in building and growing talent in cybersecurity. But I would argue the second part – that everyone knows how they can be part of making cybersecurity stronger – is every bit as important and where a strong security culture comes is essential.

What is a “security first culture”?

What do I mean by a strong security culture? I mean an organization in which thinking about security is as routine and innate as thinking about the financial cost of a project or plans for an upcoming product launch date. Much like organizations focus on quality in every process, they need to think about security in the same way. Thinking about security means everything from building security into every new product to thinking twice before opening a link in an email from an uncertain source, or responding to a request for potentially confidential information by telephone or social media. In short it means security is always top of mind for everyone.

To get everyone focused on security, you first need support from the highest levels of your organization.  For Lenovo, that started with our CEO creating the role of Chief Security Officer and making it part of the company’s executive committee as well as having a dotted-line report to the Board of Directors.  This reporting structure gives the CSO a tremendous amount of support, giving me the permission to have the tough conversations and take strong actions needed to ensure security is always a priority.

That high level of support also enables a CSO to take a holistic approach to security. Especially in large organizations with multiple business units and product lines, it is all too easy to develop a siloed approach to a wide range of business issues, including security. However, we’ve seen clear benefits to a unified structure – what we call a One Lenovo approach – that brings security teams across the company together. We bring leaders from the Chief Information Security Office, product security, supply chain security, and physical security together to identify successes and raise issues that need to be addressed. Often, we find places where different parts of the business can collaborate on solutions, while also reaching consensus on the chief challenges the company needs to address. That approach is especially helpful when asking for the resources needed to address security issues.

Which is also why the CSO needs to create a strong partnership with the other senior leaders across the organization because no CSO can do it alone. This partnership needs to be based on the shared understanding that customers expect strong protections for their data and privacy, and any failure to do so risks long-term damage to the organization’s reputation and brand, as well financial properties and damage to the company’s ESG scores. Given this, the CSO is responsible for identifying security risks and potential solutions, and then working with the senior leadership to agree on the planned solutions and finding the resources to complete that plan.

Strong Security Includes Everyone

But after aligning with your senior leaders and your security teams you still have more than 90% of your organization that also needs to put security first. How do they become part of the security culture? The answer is to help them understand how they can help and how strong security benefits everyone.  And the best way to convey this information is training. Given the sheer volume of attacks on most large enterprises, employees eventually will find themselves on the front lines, typically in the form of a phishing attack.  The ever-increasing sophistication of these phony emails, social alerts, texts, or phone calls means almost every day an employee decides whether to click on a link on a well-disguised email, or to report it instead.

Training accomplishes two main objectives.  First, it gives employees the tools to identify attacks masquerading as friendly alerts or greetings and know what to do.  Second, it reminds employees to be vigilant.

We have mandatory company-wide training each year, and by mandatory, I mean no one is exempt, especially senior executives. And while no training is perfect, ours certainly contributed to a significant decline in successful attacks, and a dramatic rise in attacks that get identified and reported to our security teams.

Security certainly is a journey, not a destination. But if you can build a strong security culture across your organization and communicate that everyone – including top executives – has a role to play, you put yourself in a much better position to make that journey as smooth as possible.

Doug Fisher, Senior Vice President & Chief Security, Lenovo