Turns out, a lot. Get people to fall in love with the security team, and you’ll get them to care about security, CISOs say in this second installment of a two-part series.
Cybersecurity Culture- Fredrick “Flee” Lee is CISO at Gusto, a cloud-based payroll, benefits, and human resource management software provider. Along with his fun-sounding nickname, he has a playful view on how to get organizationwide buy in on security: Get people to fall in love with the security team.
“The key to building and instilling a security culture within an organization is to make security lovable,” Lee says. “Security can’t hide behind their hoodies, so to speak. Security should be the most approachable team in the room so that other teams within the organization want to actively engage with [them], instead of skirting around [them].”
Security is serious, Lee explains, but you want your security team to be approachable — to be seen as the helpers, he says. Nail that and suddenly security isn’t seen as a roadblock or barrier; it’s the team who’s going to go out and find solutions to securely enable products and features that weren’t possible in the past.
At Gusto Lee says he accomplishes this by conducting security team-building and offsite activities with colleagues from other teams, and by having an open-door policy and office hours so anyone, from any division, can feel welcome to approach with questions. He also offers lab-based training for developers.
“You don’t get someone to fall in love with a sport by throwing the rule book at them,” Lee says. “You let people experience it. At Gusto, we’ve implemented lab-based training with an emphasis on collaboration. Our security pros don’t go up to a whiteboard and dictate what to do to developers as a lecture. Instead, we create learning modules that enable developers to think like hackers. We let them wear the hoodie, so to speak. That way we create champions and evangelists who get their teams excited about security.”
Lee also makes sure to keep his security folks visible year-round by seating them among the teams they support.