Collective Intelligence Podcast, CISOs and the Security Culture
By Mike Mimoso
Embedding security deep inside the culture of an enterprise or smaller organizations means two things to Anthony Johnson, an industry veteran and former Fortune 100 CISO. One, organizations must have a mindset of security engrained at every layer of the business, and two, must move toward enablement of not only security technology, but also processes.
“Great security should be really easy,” Johnson said. “Fundamentally, it should also be hard to do the wrong thing. If you need an exception to policy or deviation, it should be painful. It should feel like you’re going to the DMV and you have to wait. Then you’ll avoid that. Then it’s up to the industry leaders and practitioners to set the bar for the future: Make it easy to do the right thing, make it hard to do the wrong thing. That embodies what a culture of security is in my mind.”
In this episode of the Collective Intelligence Podcast, Johnson, who is currently a managing partner at Delve Risk, explains how and why security leaders need to set a high bar with decision makers and rank-and-file employees to ensure that business processes and core competencies are executed in a secure fashion.
Despite being a longtime security leader, Johnson doesn’t let himself or his counterparts off the hook when it comes to lingering challenges in bringing a secure culture to the forefront. Johnson points out that attempts to elevate security by selling fear should be an automatic non-starter.
“If you go in to the C-suite and talk about the sky falling, you’re not building credibility as someone who understands the business,” Johnson said. “You’re building credibility almost as a business bully. If you don’t do this, this is how bad it is for you.” Rational business decisions don’t come out of fear-mongering, Johnson says, adding that it builds a negative impression of CISOs and security leaders as people “who like to tell scary stories.”
CISOs should understand, instead, how companies make money and how security can support the bottom line and enable employees to make the right decisions while considering risk.
Johnson also discusses how the concept of security champions within lines of business has evolved through his career, and why it’s risky for security leaders to view people as the weakest link in terms of privacy and security inside the enterprise. Johnson also talks about the value of security awareness training, and shares some advice from a trusted mentor.
The Collective Intelligence Podcast, presented by Flashpoint and hosted by Editorial Director Mike Mimoso, features regular interviews with a diverse set of industry experts and Flashpoint analysts on the latest information security news and industry trends.