Securing an organization starts with the culture within — from the security unit itself, executive and senior leadership, including the board. As Chief Information Security & Privacy Officer for the University of Illinois, Chicago Campus, one of my top priorities is working with the UIC community in creating a robust cybersecurity culture. One where there’s dialogue and education happening online and on campus about what to do with a phishing email or if an account gets compromised. The culture would take into account if there is an appetite to understand the functions and values of cybersecurity, along with leaders partnering to face the threats of today and tomorrow. Here are five tips to remember for building this dynamic culture into and across an organization.
1. Sometimes the biggest threats lie within your own four walls.
These days, it’s not a matter of if but when a breach happens. What keeps me up at night is user behavior, because you don’t know when a user will click on a link or scan a QR code or open an attachment that’s malicious. So it’s important to keep a close eye on user behavior, and — to the greatest extent you’re able to — ask for and justify a security budget that includes sufficient staffing and tools, especially when environments are more complex and third and fourth parties represent the majority of your users.
2. Increased communication is the secret to building meaningful relationships — especially with your leadership.
Understanding each leader’s experience and knowledge about security is crucial to success. Maintaining meaningful relationships with leaders means finding out what their appetite is for change, for absorbing security content, for understanding political environments, for providing you support when hard decisions need to be made, giving you reasonable latitude that demonstrates that they trust you, and identifying opportunities for educating and training them.
Requesting time on highly visible meetings’ agenda to discuss or provide updates on security is a method that I find useful either as a guest speaker or presenting security as a standing discussion item. Conducting monthly check-ins with “unofficial” leaders may provide institutional knowledge. Team meetings in various capacities are useful as well.
3. Practice, practice, practice — your security testing
Information security is an evolving process that changes based upon the dynamic nature of risks, threats, vulnerabilities and the information systems themselves. In order to maintain a secure posture, it is essential that the organization’s information security program be thought of as a “living document” that responds to the changing environment through its operational practice and a consistently applied process of maintenance and review.
As incidents and breaches continue to accelerate, it is becoming more important for organizations to prepare for these not just through tabletop conversations but with real-time, business continuity and disaster recovery “functional” testing. Teams can benefit from functional testing as they are hands on to provide responses, which may reveal their readiness level and opportunities for adjustments.
4. Give your security training a facelift.
We can mitigate many internal threats through clear and thoughtful cybersecurity training for employees and contractors. Assessing your cybersecurity training, awareness, and education is critical to understanding the culture you are working within. Cybersecurity training should target users based on their responsibilities and work environment. Sometimes, gamification as a method of training can be useful for the more technical users. Assess the appetite for it, as not all users may find gamification meaningful and it may be more expensive to implement.
5. Invest in the next generation of cybersecurity talent.
As a cybersecurity leader, there is an unique opportunity to help junior cybersecurity professionals cultivate their networks and advance their careers. When I look at my team members, I make it a point to understand their strengths and weaknesses, and then tailor the coaching, mentorship and guidance that may fit best with their needs or growth.
Once my team members figure out their career progression or enhancement goals, I support their next steps as much as possible. It could be taking an educational course, learning a new skill set, shadowing another employee, building new relationships, or taking on additional responsibilities so they will be able to pursue a different position in the future. Leaders should advocate for their staff’s growth, as it benefits the organization as a whole while reducing staff turnover.
Shefali Mookencherry is Chief Information Security and Privacy Officer for the University of Illinois, Chicago. With two decades of experience in the cybersecurity and higher education industries, and three decades in healthcare, Mookencherry is a largely self-taught security leader. She has a bachelor’s of health information management from the University of Illinois, Chicago, as well as two master’s degrees from Benedictine University in Public Health and Management Information Systems.
