DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
Building Scalable Real-Time Apps with AstraDB and Vaadin
Register Now

Trending

  • AI Technology Is Drastically Disrupting the Background Screening Industry
  • Send Email Using Spring Boot (SMTP Integration)
  • RAML vs. OAS: Which Is the Best API Specification for Your Project?
  • Microservices With Apache Camel and Quarkus

Trending

  • AI Technology Is Drastically Disrupting the Background Screening Industry
  • Send Email Using Spring Boot (SMTP Integration)
  • RAML vs. OAS: Which Is the Best API Specification for Your Project?
  • Microservices With Apache Camel and Quarkus
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. How to Embed Security Awareness in Business Processes

How to Embed Security Awareness in Business Processes

A startlingly high number of businesses still do not give cybersecurity awareness training to their employees. Learn how to implement such a program for your team.

Hakon Olsen user avatar by
Hakon Olsen
·
Apr. 17, 17 · Opinion
Like (2)
Save
Tweet
Share
2.76K Views

Join the DZone community and get the full member experience.

Join For Free

All businesses have processes for their operations. These can be production, sales, support, IT, procurement, auditing, and so on.

All businesses also need risk management. Traditional risk management has focused on financial risks, as well as HSE risks. These governance activities are also legal requirements in most countries. Recently, cybersecurity has also caught mainstream attention, thanks to heavy (and often exaggerated) media coverage of breaches. Cyber threats are a real risk amplifier for any data-centric business. Therefore it needs to be dealt with as part of risk management. In many businesses, this is, however, still not the case, as discussed in detail in this excellent Forbes article.

awareness_monkey

Most employees do not even get basic cybersecurity training at work. Is that an indicator that businesses have not embedded security practices in their day-to-day business?

  1. One common mistake many business leaders make is to view cybersecurity as an IT issue alone. Obviously, IT plays a big role here but the whole organization must pull the load together.
  2. Another mistake a leader can make is to view security as a “set and forget” thing. It is unlikely that this would be the case for HSE risks, and even less so for financial risks.

The key to operating with a reasonable risk level is to embed risk management in all business processes. This includes activities such as:

  • Identify and evaluate risks to the business related to the business process in question.
  • Design controls where appropriate. Evaluate controls up against other business objectives as well as security.
  • Plan recovery and incident handling.
  • Monitor risk (e.g. measurements, auditing, reporting).
  • Get your people processes right (e.g. roles and responsibilities, hiring, firing, training, leadership, performance management).

What Does the Security Aware Organization Look Like?

Boiling this down to practice, what would some key characteristics of a business that has successfully embedded security in their operations?

Cybersecurity would be a standard part of the agenda for board meetings. The directors would review security governance together with other governance issues, and also think about how security can be a growth enhancer for the business in the markets they are operating.

Procurement considers security when selecting suppliers. They identify cybersecurity threats together with other supply chain risks and act accordingly. They ensure baseline requirements are included in the assessment.

The CISO does not report to the head of IT. The CISO should report directly to the CEO and be regularly involved in strategic business decisions within all aspects of operations.

The company has an internal auditing system that includes cybersecurity. It has based its security governance on an established framework and created standardized ways of measuring compliance, ranging from automated audits of IT system logs to employee surveys and policy compliance audits.

Human Resources is seen as a key department for security management. Not only are they involved in designing role requirements, performance management tools, and training materials but they are heavily involved in helping leaders build a security-aware culture in the company. HR should also be a key resource for evaluating M&A activities when it comes to cultural fit, including cybersecurity culture.

If you are looking to improve your company’s cybersecurity governance, introducing best practices based on a framework or a standard is a great starting point. See How to build up your information security management system in accordance with ISO 27001 for practical tips on how to do that.

Information security

Published at DZone with permission of Hakon Olsen, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Trending

  • AI Technology Is Drastically Disrupting the Background Screening Industry
  • Send Email Using Spring Boot (SMTP Integration)
  • RAML vs. OAS: Which Is the Best API Specification for Your Project?
  • Microservices With Apache Camel and Quarkus

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: