Security is paramount at the nation's central bank. If you have visited our building, we use metal detectors and x-ray scanners that serve as reminders to our employees and visitors that we have measures in place to protect the large amounts of cash housed inside our vaults.
[ Read also: 12 bad enterprise security habits to break. ]
But we also have measures in place to protect our digital assets — the trillions of dollars that flow through our applications every day are the base of the U.S. financial system. Because our employees and their actions play a significant role in protecting our organization from a cybersecurity threat, we’ve worked diligently to build awareness and a stronger culture of security.
To do this at the Federal Reserve Bank of Boston, we’ve focused on changing the habits of our employees, both inside IT and throughout the organization, through awareness programs and efforts to support the business.
Elevating company-wide security awareness
Employees in every organization have varying levels of security aptitude: Some are wary of opening email attachments from unknown senders while others click without regard. To elevate our employees’ awareness of the actions they take and the consequences they have, we’ve put in place a number of security-based programs.
We hold cybersecurity training a few times every year, for example, during which employees receive a refresher on our policies and standards. We walk them through security scenarios and test them on actions they would take. If a security incident happens in the future, they’re better equipped to take the appropriate steps.
We also embed security reminders in our everyday environment. Our computers’ screensavers aren’t your typical slideshow of images; they’re reminders of security threats. One might read, “Your Facebook account has been hacked,” while another might say, “Your computer has been taken over.”
I’ve sat down in meetings in my office when the screen saver popped up. Someone inevitably jumps because they think my computer has been compromised. It’s a constant reminder to everyone that security is serious.
We also test our employees’ security awareness through fake phishing emails. Emails are typically crafted around something else going on increasing the likelihood that the employee would click. For example, sending an online greeting card around the holidays, a W2 during tax season, or an update on vacation balances.
These fake phishing emails are intended to train our employees to focus, take their time, and think about their actions. If an employee fails the test, they are required to retake the most recent security training class, and if they continue to fail the consequences escalate, including discussions with their management and our security team. If they fail multiple times, higher levels of management get involved; employees have been terminated in the past because it’s become a performance issue.
[ Are you speaking the wrong language? See How to talk to normal people about security. ]
These programs have been tremendously valuable in building a culture of security. When we are targeted by phishing incidents, it is rewarding to see that most users do not fall for it. We will often celebrate this and congratulate the individuals for their diligence. We will review and share the incident with the executive team, our board of directors, and in many cases, our entire employee population to remind them that we are a target and the important role employees play in avoiding a major incident.
Changing the perception of security
While improving employee awareness is crucial in building a culture of security, so is the companywide perception of cybersecurity. A few years ago, the cybersecurity organization was perceived as the “the ones who said no;” we wanted to change this and make sure we were providing guardrails to enable the business instead.
We made some staffing changes and focused our efforts on understanding the business and being more helpful. Instead of saying, “Oh, get us involved at some point and we’ll let you know whether you can do it,” for example, we say, “Hey, get us involved right from the start. Let’s talk about the problem and we’ll figure out how to do it securely for you.”
This eliminates the business’s burden to figure out how to do something securely; instead, our information security folks are doing that for them. Having people on our security team who understand the business and their goals has been very beneficial. Today, our business lines are immediately engaging security when they have an idea and are talking openly about how appreciative they are for security’s help.
Changing the perception of security has to start at the top. When I was in meetings and someone would say, “This is something we want to do, but security probably won’t let us,” I’d shut down that notion immediately by saying, “Let us know what you want to do, let’s engage early, and we’ll figure out a way.”
Security’s job isn’t to say yes or no — that’s the business’s responsibility. Security’s job is to help advise the business about the risk they are accepting or inheriting. We’ve adopted the consulting mantra of, “We’ve examined the solution, we’ve made some recommendations, and here are the three things in terms of residual risks that you’re expecting.”
To build a culture of security, the security and IT teams need to be respected. You earn respect by partnering with, enabling, and guiding the business. Changing these habits — and those of your employees — set the foundation for a strong security culture.
[ Want expert advice from your peers on leading IT culture change? Get our free eBook, The Open Organization Guide to IT Culture Change. ]