CSO to CSO: Establishing the Security Culture Begins from the Top

By John N. Stewart, Vice President & Chief Security Officer, Corporate Security Programs Organization, Cisco Systems

Introduction

Every organization has a security culture, and each is as unique as the organization itself. Security culture can be collaborative or argumentative, structured or unstructured. Security can be an integral part of a process beginning at the project-definition stage, or a separate process added on to an existing project. It can be ingrained (a routine water cooler topic), or reactive (a water cooler topic only when something goes wrong).

My team’s role is to define the security culture for Cisco Systems as collaborative, structured, and ingrained throughout Cisco’s processes and people. My team is responsible for aligning security with business strategy, integrating security into every business process, and instilling in our employees a sense of security vigilance.

At Cisco, we are building a security-conscious culture from the top. Cisco President and CEO John Chambers has said, “Security starts with me, the CEO, down to the individual contributor level … it’s mandatory.” As individual contributors, our responsibility for information security is reinforced annually when we sign the Code of Business Conduct, which includes the corporate information-security policies.

When security isn’t made a priority at the executive level, I believe it is less likely to be successful. If an organization’s leadership does not set the right tone, security posture will struggle. Further, when processing a security fault, responsibility will be too frequently offloaded to the “security team.”

Cisco has an advantage in that the executive team truly understands the significance of top-down support. There are many strategies you can employ to gain that support if it is still a concern for your organization.

Align Information Security with Business Strategy

The first and most important strategy is to align information security with business strategy. At Cisco, the goal is that information security is seen as a business enabler instead of a hindrance to productivity. At Cisco we communicate the three fundamentals of disruption, loss, and reputation by showing how each ties directly into profitability, productivity, and brand reputation.

The risk relationship formula of "Risk = Value x Threat x Vulnerability" shows that a risk to the business through disruption or loss is directly related to the value of information and the level of threat and vulnerability that you, your systems, or your networks face each day. The higher the value, the bigger the target, the greater the damage and overall risk to the company.

For example, viruses and worms can disrupt and threaten employee productivity. Employee productivity is CIO Brad Boston’s primary business priority, with IT enabling the business. Instead of focusing solely on how much such disruptions cost, we instead highlight the positive, measurable productivity gains of not having them at all. Likewise, we stress how strong security measures enhance our corporate brand—our reputation and expectation that we are and will continue to be an honest, open, and trustworthy company.

Practice Risk Transference

As business executives, we are expected to take risk Sometimes these choices are disquieting to a security team. If your team feels the risk of a particular project challenges security, but still realize it may be necessary, then it’s important to educate the team about those risks, and make it clear that they are appropriate given the current security environment. By raising the awareness of the risk to the business level, you raise the priority of security. Sometimes risk is necessary; it’s the security team’s role to ensure that the risk is taken with awareness and accountability.

Create Security Process for Leadership

Adding security process into your leadership team’s behaviors can also help the culture effort. At Cisco, certain security technologies are mandatory for our executive leadership and their administrative support teams, such as disk-level encryption for the hard drive, privacy screens while they travel, and ongoing briefings about travel risks. By working with both the executives and their support teams, not only are more individuals protected, but they are made aware of the risks through multiple sources: the security team, the administrative team, and their peers.

Keep Executives Informed

Make sure executives are apprised of incidents on a regular basis. For instance, we send weekly voice-mail briefings about activities in the security organization to proactively ensure that the executives are not only aware of incidents, but educated about actual events. This helps ensure security awareness at the leadership level, and we have champions in executive committee that can validate the security team’s position that “bad things really do happen.”

Talk about Security in Business Terms

Money talks. We use statistical and financial models to demonstrate that spending money on prevention allows us to save money year over year, and in some cases, within the first year. This brings money into the equation, and every executive understands cost, efficiency, and business cases.

In part two of this article series, John will discuss how to raise employee security awareness, a key element to cultivating a strong security culture.

About John N. Stewart: As the Cisco Systems Chief Security Officer and Vice President of Corporate Security Programs Organization, John provides leadership and direction to multiple corporate security teams, strategically aligning with business units and the IT organization to create leading corporate security practices, policies, and processes.