Promote security from the top down
Security initiatives should be mandated and supported at the top levels of the organization. At Endurance, information security is a board-level agenda item and a strategic business objective, says Terry. "Being able to work with your executive team and senior management to help share the communication message makes it much easier rather than being an IT-centric responsibility."
Royal Philips recognized the need for top-down security communications when it created a corporate level organization called Information Security and named Mankovich its first chief information security officer in January 2012. The group "is focused on a simple pitch, which is the adequate protection of information that affects the business of Philips," Mankovich says. "That could mean my laptop, my notebook, even information that's in my head. And it's everybody's responsibility."
Share your company's hack history
Although controversial, sharing -- in confidence, of course -- the number and nature of attempted hacks on your own company's systems, or incidents within business units, can be a strong motivator toward security compliance, Peeler says. "People don't really understand how often a company's own systems are under attack," she points out.
Harkins agrees. "[Security leaders] have got to show logic, show data, and relate it to the business goals and, if not addressed, what impact it can have toward achieving those goals," he says. "The more your predictions start to come true, [the more] you're demonstrating you know what you're doing and you're not trying to impede the business, you're trying to help the business."
Intel has found ways to put breach data to good use without sharing too much confidential information. For instance: "We had an employee who stole intellectual property from us a few years ago and was convicted earlier this year. We posted to all employees the story of what happened, how we found out, and reminded everyone of the expectations we have of them," Harkins relates.
Intel also posts its lost or stolen laptop rates and reminds people how to take care of equipment. It will also share general investigation or incident details, including mistakes made by employees, such as posting information to a social site, and describe the risk that created for the company, Harkins says. "But we don't share who did it or other details that would embarrass or create issues for the employee," he clarifies.