This article was originally published on Information Security Buzz.
As attackers continue to find new ways to profit from vulnerabilities, organizations of all sizes face an ever-present threat. With attacks becoming more frequent and businesses growing increasingly desensitized to these risks, the importance of having a comprehensive, proactive response plan has never been more urgent.
Verizon Business’ 2024 Data Breach Investigation Report revealed that 68% of breaches included a non-malicious human element, such as people falling for phishing schemes, mishandling sensitive information, or getting duped by a social engineering attempt. These statistics underscore a critical truth: the way people interact with and buy into the company’s security program has a massive impact on the organization’s vulnerability to breaches.
A Critical Factor: Security
Security is more than just a department tasked with preventing breaches and outages; it’s a core business function, as integral to an organization’s success as finance, revenue generation, or product development. The perception of an organization’s security—both internally and externally—has a direct influence on its reputation. Public trust in the company’s ability to safeguard sensitive information is key to maintaining a positive reputation. The impact of a security breach is often seen in the form of plummeting stock prices, loss of customer confidence, and a damaged brand image.
To put it simply, security is a critical factor in how a business is perceived, both by its customers and its own team. The ripple effects of a well-managed security program (or a poorly managed one) extend far beyond the IT department. If an organization is seen as unreliable or risky, its business prospects and relationships will likely suffer.
Measuring What Matters Most
In larger organizations, the role of advocating for security often falls to executives like the Chief Information Security Officer (CISO) or Chief Information Officer (CIO). These leaders can champion the value, progress and needs of the security program at the top, ensuring that other executives and stakeholders are in the loop. However, in growing businesses, this task is frequently added to the IT team leader’s ever-growing list of responsibilities.
It might seem like self-promotion, but documenting the security team’s achievements—such as threats prevented, processes improved, and successful projects—goes a long way in keeping the value of security at the top of leadership’s mind. It’s essential to shift the narrative around security so that it’s not just viewed as a quarterly budget line item or a source of bad news.
Vendors and partners can be an asset in this area. IT teams should ask them what metrics and reporting tools they can provide to show the total cost of ownership and the value of their services. Many vendors already have built-in functionality to support audits or executive-level reporting. The key is to choose the right metrics that align with your security goals. For instance, rather than simply measuring how many people click the link in a phishing awareness exercise, focus on how quickly employees report that suspicious email. This kind of proactive behavior is more likely to prevent a real-world attack and can have a significant impact on reducing your mean-time-to-detection (MTTD) and mean-time-to-response (MTTR).
Rewarding positive behaviors, like quickly reporting phishing attempts, can also help improve your security posture. Recognizing teammates for their contributions to security can encourage them to engage with the security team more proactively rather than reacting out of fear and avoidance.
Explaining the “Why”
One of the biggest hurdles security teams face is their reputation as the “Department of No.” Interactions with the security department can often be negative: mandatory training, investigations, or requests denied due to potential risks. This process fosters a perception of security as a roadblock to productivity. In reality, the security team works tirelessly behind the scenes to keep the organization safe. However, without intentional efforts to communicate successes and provide opportunities for positive interactions, the security team’s efforts go largely unnoticed—until something goes wrong.
Changing this perception doesn’t mean abandoning critical controls or saying yes to every request. Instead, it involves making a conscious effort to explain the “why” behind security policies, seeking feedback on roadblocks, and showcasing wins as part of the normal business cadence. Engaging employees in conversations about their mistakes, such as when they deviate from an expected procedure, can yield valuable insights into gaps in documentation or unconsidered use cases. Finding the right balance between smart policy and “paving the road” to enable teammates’ work increases the likelihood that people will follow what policies are determined necessary.
The Power of Training
Most people don’t have a security expert on speed dial in their personal lives, so the awareness education they receive at work may be the only training they get. Treat this as an opportunity: instead of relying on click-through training modules to meet minimum insurance or compliance requirements, use security training as an opportunity to empower everyone with knowledge that benefits them both professionally and personally.
Teach teammates about current attack trends, and they should watch out for good security hygiene that applies not only to work devices but also to personal activities like social media usage. This helps keep them safe from threats in their daily lives while also reinforcing organizational security by making them less susceptible to social engineering attacks.
Additionally, consider incorporating security tips into regular team meetings or all-hands updates. Offering bite-sized information in these settings can make it more digestible and less intimidating than a lengthy, dry training module. Regular, small doses of security education help combat the “forgetting curve,” a theory developed by Hermann Ebbinghaus that suggests people forget 75% of newly learned information within a couple of days. Providing consistent refreshers ensures that the information is retained longer and more effectively.
Shifting Perceptions
Shifting the perception of security from one of avoidance to one of reinforcement, safety, and reliable guidance can have a profound impact on an organization’s overall security posture. When people view security as a collaborative function rather than a reactive or punitive one, they are more likely to engage meaningfully with security initiatives. This collective effort helps create a stronger, safer organization where security is everyone’s responsibility.
Ultimately, security is a shared endeavor, and by building a culture of trust and positive reinforcement, you not only protect your business but also empower your team to protect themselves—both inside and outside the workplace. By working together, we are stronger and more secure
