A Security Culture: Top Priorities for CISOs and their Teams

To bring an entire organization into the security fold, CISOs must lean on soft skills that aren't typically associated with their highly technical role.

Tim Chase, Global Field CISO, Lacework

June 5, 2023

4 Min Read
High angle shot of a group of colleagues linking arms in solidarity at work
Yuri Arcurs via Alamy Stock

Cybercrime is increasing in efficiency, efficacy, and scale. Although organizations are frantically trying to prevent attacks from reaching their environments, there’s also an understanding that breaches are inevitable. According to IBM’s 2022 Cost of a Data Breach report, 83% of organizations studied have had more than one data breach. So it’s no longer a question of if a data breach will happen, but when.

The main line of defense against cyber criminals for most organizations is their security team, often led by a chief security information officer. Traditionally, CISOs spearhead internal and external information protection efforts, but the current cyber risk environment is expanding their role.

It’s no longer enough to create a security plan and rely on those with technical know-how to execute. CISOs must be able to communicate complex security concepts to all employees, even those in the C-suite and the boardroom. Doing so requires building a culture of security transparency and accountability rooted in the boardroom that then permeates through the rest of the organization. One way to look at it is that CISOs have a toolbox full of priorities, best practices, and insights they pull from to keep organizations secure. To successfully guard against increasingly complex and pervasive threats, the top CISOs are adjusting the contents of their toolboxes to include tools that a wider variety of people understand how to use. 

It Starts with a Good Foundation

When building a culture of security, it’s imperative to focus on security from the very beginning of the product life cycle. That helps to ensure all employees are up to date on best practices so security flaws can be identified as early as possible. Rather than waiting until a product is almost fully built to add in security features, CISOs are directing teams to start testing and implementing security early in the development process to keep user data safe from the start. By helping those team members across an organization -- from security engineers and accountants to executives -- understand the importance of addressing risks early, CISOs lay the groundwork for an intrinsic understanding of security.

Soft Skills: The Basis of an Effective Security Program

While security roles have traditionally been viewed as highly technical and culture-agnostic, top CISOs today recognize that soft skills are just as important. The best CISOs can speak across groups and understand the language of both the business and technical worlds.

In order to push security across the entire organization and create a healthy security culture, CISOs must be able to influence people; that means coming across as a partner and not as the company police. This requires strong people skills and the ability to build relationships across groups. Modern CISOs are evolving to prioritize soft skill development and culture-building initiatives, such as employee engagement and observability, in order to see that the security practices they know are best for the company actually implemented at large. 

A Culture-Oriented Approach to Measuring Success

Security roles are typically highly technical and not traditionally seen as major culture-drivers within a company. But top CISOs are now prioritizing culture-oriented measurements like employee engagement and observability. By building a culture of transparency and accountability, people at every level gain an understanding of their assets and associated risks. That is necessitated by the incessant rise of complex security threats. One of the most effective ways to cement security into an organization’s culture is to make people want to adopt security measures instead of feeling as though they are forced to.

To make security a foundational part of an organization’s culture, CISO priorities are adjusting to include the following:

  • Basing security programs on excitement and employee engagement, rather than mandates.

  • Driving diversity forward, as complementary skill sets are essential to organizational success

  • Advocating for visibility and observability so employees understand what assets are at risk and how they can proactively protect them

  • Every team in the organization needs to own their security; security teams provide guardrails and tools but should act as auditors and educators while each individual team implements security best practices. 

  • Sharing actionable advice based on personal experiences helps people see security as a business enabler rather than a barrier.The current threat landscape is make-or-break. Take one glance at the news each day and you’ll see cyber criminals are becoming emboldened and succeeding more than ever. As organizations struggle to keep their security posture ahead of an ever-evolving threat landscape, security leaders need to ensure their security program is inclusive of everyone who touches their organization’s environment. By leaning on skills not found in a textbook, intertwining company culture with security knowledge, and requiring safe practices to be a top consideration rather than an add-on, the best CISOs are equipped with the tools needed to bring their entire organization into the security fold.

About the Author(s)

Tim Chase

Global Field CISO, Lacework , Lacework

Tim Chase has over 15 years of information security experience across many different roles, including an extensive background working at the Board and Executive level to promote security and guide decision making. He is an expert in building robust security programs and managing risks while meeting the evolving security needs of organizations. Prior to Lacework, he was the Director of Field Security at data intelligence company Collibra.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights