Skip links

Three Security Pillars (part 1): The Most Important Parts of Your Security Culture and Program Are the People

Three Security Pillars (part 1): The Most Important Parts of Your Security Culture and Program Are the People

As emphasized by SFIA (Skills Framework for the Information Age), everyone holds information security responsibilities. Individuals and organizations need to consider how to embed secure working practices into everything they do. Security is a team sport – this means everyone needs to be aware of security and make it a generally accepted part of their every-day working and management practices. Applying this principle means more than just introducing cybersecurity awareness training—it’s about setting performance goals for all employees of the company, having regular conversations with them, and giving them a safe space to ask questions and share information with their managers and the InfoSec team throughout the year.


It is also about your own team, ensuring they too have a safe and productive environment in which to do what is best for the organization, not just to prove they are meeting a quantitative set of metrics (we’ll be covering this in an upcoming blog post). That’s only half the story. You know this, but what do you, as CISOs, need to do about it?

Along these lines, earlier this month, I introduced an overview of lessons learned across the three security pillars of People + Process + Technology. You can take these lessons into 2021 as you evolve your current CISO role (or future security leadership role) and architect an enhanced InfoSec program for your organization. I would like to share some of my lessons learned and share some of the questions I’ve successfully used:

  • How are you taking good care of your teams?
  • When you define “team,” – how are you extending this beyond just your direct reports?
  • How do you look at technology?
  • How do you look at risk?
  • How will the human element set you up for great things in 2021?

When discussing and answering these questions—language, conversations, communication, and collaboration deserve focused attention. Let’s dig into this a bit more.

Which People Do CISOs Need to Think About?

We often hear—maybe even say to ourselves—people are an essential part of the business. What does this mean? To whom are we referring?

Sure, you care deeply about your InfoSec team—the crew that keeps things up-and-running securely every day. And it’s abundantly clear that you need to take care of them.

Here are two things you can focus on to ensure your team is happy, healthy, and ready to fight the good fight with you:

  • Provide Ongoing Training — Not just for technology, but also for understanding the value of their role in support of the business. There is also an opportunity to instill an environment where communication and collaboration thrive throughout the company.
  • Diversify Roles — Give your team a chance to spread their wings and explore new areas that are valuable to the organization. Let them push the envelope to make a considerable impact instead of just meeting the status quo (a “labs” mentality).

Please don’t be myopic in your Security Leadership role. Embrace other teams and people from within the organization. Consider these strategies as we move into 2021 and extend your view of who’s working with you outside of your InfoSec team:

  • Coach people outside of your InfoSec team on what role they play in addressing cyber risk.
  • Explain their role in identifying, communicating, and helping to mitigate cyber risk.
  • Communicate the threats they face as individuals and as an organization.
  • Teach them how to respond to an attack (brainstorming through workshops with attacks against their devices and accounts, their departments, and the business as a whole).

Sharing this information with people outside of InfoSec is vital because the entire organization is an extension of the InfoSec team. Security is a team sport.

So much so, I want to share three additional points:

  • How do you run your strategy, planning, and update meetings?
  • How many people from outside your team are participating?
  • What’s the mix of business and technology participating in your strategy and meetings?

As we covered in the CISO/GC/CPO/DPO blog, it’s important to understand perspectives and expectations. What are each part of the business’s goals and objectives, and how do those goals and objectives impact your security program (and vice versa)?

Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: laz at bluelava dot io.