DSNews delivers stories, ideas, links, companies, people, events, and videos impacting the mortgage default servicing industry.
Issue link: http://digital.dsnews.com/i/1477838
70 everybody in the organization has a role in security. As a security leader, you need to partner with those closest to the box, educate them, and empower them to protect the box. at is why the first step in building a culture of information security is always to put your sneakers on, walk around, and get to know the people. Here's who to meet, what to talk about, and how to build those partnerships: » Build relationships with the technology owners: Understand their roles and processes, and how they're using technology to support these processes. Respect their specialized expertise, and they will come to respect yours. » Find individuals who will champion the cause: When you see things that are being done in a safe and secure manner, find out who is behind those things. Get to know their mindset, approach them, and start working closely with them. » Find your naysayers: In most organizations, there are those who have had bad experiences with information security professionals acting as the "no police." Understand their position and what kind of conversations you need to have to be able to work together. » Meet everybody who comes into the organization: Hold regular group and individual security training as part of the onboarding process. is allows you to get an understanding of people's exposure to security and compliance. For example, someone who has been exposed to HIPAA probably has the right mindset, even if they're joining a new industry. » Get to know your information security (infosec) team members: Explain your position, approach, and successes. Often, these team members came from an embattled culture of infosec versus everybody else. If you can't fathom what a collaborative infosec culture looks like, it's hard to help create one. » Become a consultant: Many infosec professionals come from the government field, where if people don't follow policy, there are penalties. In the enterprise, you can no longer rely on that authoritarian stance toward policy. You have to call out vulnerability, explain the risk, and offer potential solutions. en ask, "What are your thoughts?" » Stay in your lane: Many security professionals see a vulnerability, and say, "You've got to fix it." If it doesn't get fixed, they cannot let it go. ey don't realize they don't get to make those decisions. ere are always business risks outside of information systems that have to be weighed and balanced when deciding just how to allocate budget and resources. Our job is to educate, inform, and remediate if the organization wants us to. Stay in your lane, and you'll stay sane. As a security professional, it's very rewarding to fix a vulnerability, or thwart an attack. It's a big part of why we get into the profession in the first place. But, we must realize that we cannot secure anything within the organization on our own. True security efforts come through a groundswell of collaborative efforts. It's more rewarding when the lights come on and people begin to understand that they play an active role in these efforts. Attending annual security training, update your passwords, and not clicking on suspicious emails is just the beginning. ose are broad-based technical vulnerabilities. But everybody has a role that's dependent on their role within the company. If you're in accounts payable (AP), for example, you need to be up on the latest business email compromise scams and have methods in place to spot and defeat them. If you're working with external vendors, you need to be aware of your organization's requirements for how they handle your information. Our job is to break down the us/them barrier and build those partnerships, because security is a "we" thing. Early in my career, I unwittingly created resistance to security by focusing on rules and technology. Once I changed my approach, most of the barriers I had been encountering disappeared. Bugs and vulnerabilities can be fixed, but infosec never ends. People, processes, and technology are always changing, as there are updates to technology on a regular basis. Processes are always being evaluated for efficiency and maturity. If you educate and empower the people, the processes can change. e technology can change, but the mindset stays. And that's how you build a culture of cybersecurity. Tony Carothers is the Security Systems Engineer at Corpay, a FLEETCOR company. He has more than 30 years of experience in information security— working in both the public and private sectors. Feature By: Tony Carothers "There are always business risks outside of information systems that have to be weighed and balanced when deciding just how to allocate budget and resources. Our job is to educate, inform, and remediate if the organization wants us to. Stay in your lane, and you'll stay sane."