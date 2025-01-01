Diversity of views and experience can also make direct contributions to an enterprise’s resilience. “When we're building software, and we're looking at threat modeling, we want to make sure we have at least one representative from each major group of stakeholders because there are always going to be needs that somebody has that you didn't anticipate,” Ryan explains. “Getting different perspectives also means someone will realize: ‘Oh, actually, every second Thursday, the cleaners come in and they also have a set of keys to the office’ – a vulnerability you’ve never considered. You don't want to make the room so crowded that nobody can have a conversation. But you need to take a holistic view.”

“People in security tend to come from risk management, accountancy, or technology but there are much fewer people with non-standard or unusual backgrounds in the realm, who can bring new ways of looking at these very complex problems,” agrees Doherty.

Strong executive sponsorship helps rally this diverse group of stakeholders and underlines that security is a priority. “One of the things we advocate is business leaders taking ownership of security and integrating it into their strategies, rather than it being relegated to a purely tech problem,” Doherty says. “There should always be a board member or an executive with an idea about what the organization should invest in.”

Training for business leaders can help build this capability, since many executives will lack formal security experience.

“Directors and executives are paying more attention than they used to, but they're also approaching these topics from a low base of existing knowledge, so keeping them informed on the latest developments in cybersecurity practices is really important,” says Doherty. “It’s also critical that the information that is presented to them is accessible and useful. When people come to you with ideas, whether salespeople or senior executives, you need to be able to prioritize needs over the fads. And that relies on having that understanding of the threat model, the strategy and where you're heading.”

Yang recommends appointing a chief information security officer (CISO) to lead the organization’s cybersecurity strategy and oversee its implementation in close coordination with the IT and risk leadership. “At the highest levels of the organization, there needs to be maximum support and commitment and that includes allocating resources to cybersecurity,” he says. “Traditionally, the security department operated in its own lane, but nowadays it's all about teamwork.”

Beyond the management tier, embedding ‘security champions’ throughout the enterprise can pave the way for policies and practices to be integrated at the day-to-day level.

“We have a program where we identify people on product or delivery teams who take some ownership for security,” says Doherty. “As they’re not security experts, or generally didn’t start off that way, they get training, and get connected to a community of their peers, and to the security team. They become a way of assuring the organization that necessary security controls are being integrated into the products that they're building.”

Moving from security policies to a security culture also requires honesty and transparency – as well as a degree of bravery, Ryan notes.