This article was originally published on Forbes.
When faced with escalating risks, it’s easy to get so focused on constructing walls of protection that we forget cybersecurity teams need to be just as skilled at building bridges. Even the most elaborate technology barriers will fail without bridges of communication and collaboration across your entire organization.
Considering the high-profile cybersecurity breaches of the past year, I believe one of the root causes — and greatest risks — is that security too often operates in a silo. Whether an employee fell for a phishing hack or a well-meaning employee politely held a door open for someone unknown behind them, it’s clear there was a disconnect between security and the rest of the organization.
At SYKES, we’ve worked hard over the years to instill security best practices across our entire organization. Tearing down the silos has been a central part of that ongoing effort — here are four ways Information Security teams can break down silos:
1. Get the right tone at the top.
Your CEO needs to make it clear that the company places the highest priority on protecting the security and privacy of its employees, customers, organization and data. This must go beyond lip service and compliance to communicate a commitment at every level, embedding security awareness within the company’s culture.
It’s essential that the CEO give security a seat at the table and is ready to listen and help. This sets an example for other executives, so they know to do the same. The message from the CEO must be, “You need to listen to, help and partner with our security team.”
At SYKES, we have a C-level data governance committee that includes many of the CEO’s direct reports. While security and compliance calls and leads the meeting, it’s not “our meeting.” Rather, it’s a company meeting with representation from multiple departments to help tear down silos, communicate and make cross-functional decisions around privacy.
The tone at the top also needs to be an open dialogue of mutual expectation and education. For example, as security gets more sophisticated in detection technology and processes — if we’re doing it well — we’re going to be detecting more issues than before. That means the metrics, at first glance, may indicate that the company has more problems. But the reality is that we’re doing a better job of detection while simultaneously improving protection and prevention. The Executive team needs to recognize and accept that.
2. Be service-oriented.
Executive security leadership needs to set a service-oriented tone for the organization, requiring and reinforcing that the security team be a responsive, customer-centric, service organization rather than traffic cops. Your security team must be seen as a service organization by the rest of the enterprise. Part of this involves adopting a risk-based mindset, which means assessing and communicating risks, agreeing on acceptable risk levels and setting mitigation measures based on risk profiles.
If security isn’t a service organization, then silos are reinforced and other departments will simply go around us. I’m sure you’ve seen teams in your own organization that don’t want to talk to security because they assume they’ll only hit barriers. While being careful not to violate company policy, they talk to security as little as possible, just to meet compliance requirements. Obviously, this isn’t healthy.
Over the years, our security team has worked hard to change that mindset by being accountable for the way we engage with other departments as professional partners. Now our security team gets called in frequently on issues to support our clients.
3. Remember that security is also about people.
Many recent cybersecurity articles focus on technological advancements, and I’m excited about the future of pattern recognition, machine learning and AI in cybersecurity. That said, people are still essential to the process; judgment, education and action make humans simultaneously the most important part of the security chain and its weakest link.
Whether it’s clicking on a phishing email, writing passwords on sticky notes or using the same credentials for multiple accounts — we can’t control human behavior. We can set password requirements, we can employ user-behavior analytics (UBA) and work-pattern analysis, we can educate and we can lock down the backend to mitigate damage, but we can’t force people to change their behaviors.
Given this challenge, security needs to work closely with our partners. For example, we work with human resources (HR) to embed security in the talent-acquisition phase since our first line of defense is to stop bad actors from getting in. We also coordinate closely with our talent development team to create more effective security and ethics training for new and existing employees. The primary point is we need to partner with all areas of the organization to make security a team sport rather than a single department’s mandate.
4. Show humility.
One key to tearing down silos between security and the rest of your organization is to check the behavior of your security team itself. Do your team members see their role as enforcing rules or helping others accomplish their goals in a secure way?
We’ve found that there are ways to take people with raw technical talent and coach them to become true business leaders. While they have the skillset needed to complete the job, we work to develop their communication and collaboration. As cybersecurity and business continuity needs become more sophisticated, companies may also look for security leaders who bring more business and communications acumen to the role.
While expertise, confidence and fortitude are necessary, humility is an essential (and often overlooked) characteristic for security professionals to truly connect with other teams. We’re fortunate at SYKES to work closely with many different industries, all with similar yet diverse security challenges. It’s paramount that our security team remain humble and open to learning so we can truly incorporate this external wealth of industry knowledge to keep pushing our expertise.
Silos are common across industries, but the better security teams get at building bridges across the entire organization, the more you’ll see those silos come tumbling down.