We know we need to encourage our teams to think security-first across every department. But what does this really mean in a practical application? For security companies, it might be less of a leap to bring a security mindset to legal, procurement, or marketing teams. For organizations with their core business in another industry, it might take a little more to translate this into actionable steps people can take.
IT is traditionally responsible for implementing security tools and processes, and HR and people teams are the primary leads for building company culture. However, leadership carries a heavy responsibility for setting the tone and priority around creating a culture of security across the entire organization. When it comes time to evaluate how each of your departments measure up to modeling a security-first mentality, it helps to think about these key questions to assess your progress.
- Are you regularly reinforcing the company’s vision and values around security both internally and externally?
- Do you model security-first behavior for all staff in how you use personal devices at work?
- Do you communicate the company’s commitment to security to candidates during the interview process? To new hires during onboarding? To existing employees during review cycles?
- Do you have clearly documented governance for handling sensitive employee data?
Sales & Marketing
- Do you share the company’s security-first approach with prospects and customers throughout ordinary communications?
- Do you understand the processes to keep data safe within your CRM, marketing automation platform, or other databases housing customer information?
- Is security included in your initial requirements set when developing or updating products?
- Do you have clear procedures for testing security risks in the final stages of product development?
Embedding security as a way of life is not a one-time event. It requires ongoing education through a variety of channels. Setting the tone from executive leadership is key, but this must be reinforced by direct management and across peer groups. Through this, employees will begin to have a clear picture of the type of actions aligned with a culture of security. It’s important to clearly communicate the risks of inaction as well, so staff feel the gravity of the part they play and can prioritize security over convenience.
Knowing what questions to ask your department leads will provide invaluable insight into how they can insert security-first thinking into their areas of responsibility in the business. When teams understand what’s expected of them and how they can prioritize security-centered behavior without it impeding their primary responsibilities, a culture of security is a natural outcome.
Questions to Help Evaluate Security-First Thinking Across Departments
Creating a culture of security means every person in each department plays a part. But do they know what their responsibility is in practical terms? Ask team leads these questions to help evaluate.