How to Promote Security without using Fear

Eric Vanderburg2015-Security-Predictions

We’ve seen quite a variety of online threats recently. A simple email containing a convincing subject line can compromise a computer, infect a network or shut down operations. Just recently, the security world had to deal with the Heartbleed bug which has weakened web encryption. And of course, there’s the never-ending case of identity theft and stealing of bank details. These issues are pointing at organizations to tighten up the defense of their data.

The predominant message seen today is BEWARE or PANIC because of this problem or that problem. While, fear can be a motivator, continued usage of these tactics tends to diminish the impact they have, making them less effective in the long-term. So how does an organization spread the message of security without causing using fear?

Establish an understanding between executives and information security personnel

These two branches in an organization must come to an agreement. Data protection is the bread and butter of security personnel and they should be able to explain things clearly to executives in a way that makes it sound like they’re in a Terminator movie. Information security officers should be able to persuade management to put it security features that will ensure the protection of their data from basic security measures to more advanced ones as needed.

Sometimes, it’s difficult for security professionals to convince executives to spend more for security measures because there is no clear return on investment (ROI). For example, when an executive asks why he should allocate a percentage of the budget for a secure system, security staff have a much harder time showing the return than would be seen with other capital expenditures.

What those in charge of security need to do is to make executives understand the repercussions of not investing in security equipment. They can present case studies of companies who got hacked, what caused the attack and how they suffered. By doing this, executives become more aware of the pressing need for security.

Make sure employees understand the importance of security

Just like child rearing, companies must use constant reminders to reinforce the behaviors that will keep company data safe. Data security for employees should feel like an important part of their day rather than a chore. By raising awareness about the need to protect data makes employees much more informed about the limits of what they can and cannot do.

As an example, new employees should get educated on the security measures that the company has. In addition to just lecturing them on the proper creation of passwords and other protocols, making them understand that their data on their phone is vulnerable to attack. It may sound scary, but reassuring them that sticking to procedure limits the chances of them getting hacked and risking the entire organization in the process.

Essentially, we have become numb to fear. Security practitioners must be able to do more than scare people into implementing security. Security must be seen as valuable within the organization.

Request Info

TCDI | Computer Forensics | Cybersecurity | Litigation Technology