As a CISO, one of the most common questions I get is, “How do you build a culture of security?” My short answer is: culture is what you repeatedly

Creating a Culture of Security

submited by
Style Pass
2024-11-08 17:30:07

As a CISO, one of the most common questions I get is, “How do you build a culture of security?” My short answer is: culture is what you repeatedly do. Building a culture comes through when: (1) you take action, (2) in a programmatic way, (3) that prioritizes security as a practice.

Start somewhere. Don’t get hung up on perfection, start putting in the architectural templatizing that you need to scale. Start writing down (and enforcing) policies like MFA everywhere, observe a cadence for patching and updates, and take a look at compliance requirements including regular security awareness training.

It will streamline your operations to have these kinds of practices in place–and will also create a repeatable, defensible approach, which is critical. This approach is important because you want to minimize actual risk, but also because you will need to provide attestations to your leadership chain, which includes the Board. 

And in the event that you come under scrutiny by your regulator (this could be the SEC, the FTC, an international entity, or etc–and even CISA, who asks for pledges like secure by design that are not required but may defray likelihood of inviting governmental scrutiny), it will also become highly important that you have a programmatic approach to security team practices–and that you represent those accurately.

Leave a Comment