Implementing an information security program can seem like a daunting task for any company. Whether you are starting a security program for the first time, looking to consolidate your security policies and procedures into one place, or are being asked how you comply with the latest compliance standards by your vendors… we’ve seen it all at Carbide.
That’s why wanted to share some tips for successfully implementing your company’s program, from the customer success perspective. At any stage of the implementation process, you want security adopted as a part of a company’s culture.
Make Information Security Part of Company Culture
Closing deals and proving to clients that you can meet their security needs is a common reason for starting a security program. It’s a clear security trend from the last few years.
Often times this makes security seem like a box that needs to be ticked. Rather than something that becomes part of the day-to-day role for all employees. In order to have a successful program, it needs to be part of the culture of your company. That culture runs from the new hires all the way up to your senior management.
You have to lead by example. If the CEO demonstrates compliance with the company’s security procedures, that proves to employees just how focused you are on information security. It shows that all employees, not just the intern or new hire, must take security seriously.
You can’t undervalue the role of Board Members either. The board members oversee the CEO. They also oversee the security of the company. When security becomes a part of the company culture, it increases adoption from all employees. You reduce the fear of an incident. It becomes another part of each employee’s day-to-day responsibilities.
Create a Team or Champion for Information Security
Having a dedicated role in your company for information security is not practical for all companies. Or at least small businesses or startups. For large companies, it is common to have a team or dedicated employee that manages the implementation and adoption of your program. Smaller-to-medium size businesses and startups usually do not have the luxury of hiring a dedicated employee for this role.
Often a CTO, CEO, or a member of senior management in a smaller company has to fulfill these responsibilities, on top of their other duties. They may not be able to give enough time to complete these extra tasks, resist the additional responsibility, or think they are not a priority.
When choosing an InfoSec lead, ensure that this individual understands the importance of the security program. They should know how it relates not only to their role but the company culture as well. In many cases, with smaller companies and startups, having a team approach can help spread out this workload. Divvy up tasks like local backups or overseeing the password policy. You want to improve the adoption and implementation of the program.
Information Security from an employee’s first day to their last
Another tip is to have each employee review the role that information security plays in your company. New employees need to be trained in their duties, based on their position. You want to include security best practices in this training. Statistically, employees are the weakest link when it comes to information security.
However, it isn’t enough to only focus on this training one time, or even annually. This should be an ongoing process over the employee’s entire time with the company. As new threats emerge, employees should be educated on them. At least once a year, they should demonstrate compliance with company policies and asked to complete quizzes or tests to assess their understanding. Information security is not static and hackers do not stop changing their tactics. Having an on-going process and regular training or updates demonstrates to each employee just how important this is for your company and increases your employee participation and adopting your program.