Five ways organisations can foster a security-conscious culture to protect their assets and brand.
By Anaïs Beaucousin, Chief Business Security Officer, ADP International
In the ever-evolving landscape of corporate security, the role of the Chief Business Security Officer (CBSO) has undergone a profound transformation. While the position has long been synonymous with safeguarding business interests, the escalating complexity of cyber threats, data security management and geopolitical events now require additional skills, focus and responsibility.
Today’s CBSO navigates many diverse risks – from fraud and cybercrime to natural disasters and geopolitical issues – across various business lines. The key is achieving full convergence by blending skills in IT, cyber, and law enforcement with business acumen to ensure comprehensive security coverage of an organisation.
To succeed in this role, we must also adapt. This means not just serving as a security advisor, but also being a versatile leader who can inspire employees to collectively take on the responsibility of security.
This article explores the evolving role of a CBSO and offers strategies for companies of all sizes to cultivate a security-first culture. Success in this position hinges on diverse expertise, adaptability, and the realisation that, in the realm of security, everyone plays a vital role. But where should organisations start
1. Align security strategy to business vision
The primary role of a CBSO is to help deliver growth for the organisation while keeping up with the pace of continually evolving threats. To achieve this, you need to align security practices with your business strategy and vision.
ADP’s vision, for example, is to design for people and transform businesses through data insights and innovation. We never lose sight of that vision from a security standpoint, whether it is rolling out a new service to our clients, instituting a new internal policy or providing rigorous training to employees or partners.
Consider cybercrime as an example—cybercriminal groups often have business models, structures, and functions now that resemble those of mainstream companies. Though these threats operate discreetly, awareness amongst clients and the public is growing, reaching beyond the cybersecurity experts.
Therefore, cybersecurity cannot operate as a silo; it must be woven into the fabric of your business. Aligning your security strategy with your organisational vision not only helps to safeguard the company and its customers but can help you drive business impact and protect your brand.
2. Ensure security by design
By prioritising the integration of security measures across all facets of operations, a company can fortify itself against potential threats and vulnerabilities.
For example, when ADP develops a new product, we place security at the heart of its creation. It’s what we call “security by design.” Our security team trains our developers regularly to ensure that product development has security embedded from the start. Here, compliance is crucial, ensuring ongoing adherence to data regulations in all global markets.
Embedding security by design is critical for the business and for your stakeholders. When done right, it can help foster trust amongst employees, customers, suppliers, and partners.
3. Stay two steps ahead of threats
To stay two steps ahead of threats, you need a team of outstanding security professionals and a solid plan for keeping the business running smoothly, even when things go wrong. Working together with the business is key. By being an active participant in the business, the security team can provide valuable insights and informed suggestions precisely when needed.
Business continuity planning extends beyond the boundaries of the organisation and includes collaboration with third-party providers. For example, during moments of global disruption such as the COVID-19 pandemic, ADP’s collaboration with local partners is essential in ensuring smooth operations for our clients. With a robust, global, integrated Business Resiliency Program managed by a team of experts that account for various threat scenarios, we take all necessary actions with the aim of helping ensure that essential services remain operable for our clients across the globe. During the pandemic, we had to prepare in surrounding countries to mitigate potential service interruptions in case our partners faced challenges in running payroll. Supporting third-party providers should be a core part of your strategy - ensuring they adhere to the same stringent security processes that are expected inside your organisation. In today's business landscape, there's no room for interruptions. Clients need assurance that your company has the necessary personnel, technology, and processes to safeguard their interests.
4. Make it personal
While possessing cutting-edge security tools is crucial for protection, recognising and addressing vulnerabilities beyond technology is equally vital. Human error, a significant vulnerability, is often exploited by cybercriminals who use social engineering tactics like phishing or pretending to be insiders to extract sensitive information. In the realm of Generative AI (Gen AI), human error can also expose vulnerabilities that cyber threats can exploit.
Companies, therefore, should collaborate closely with developers to bolster their defences.
It is essential to carefully oversee the use of new technologies like Gen AI to improve security measures, ensuring that any enhancements come without compromise.
To truly strengthen workplace security, everyone needs to understand why it matters and what it means to them. A good place to start is by transforming security from office talk to a compelling narrative that makes us all responsible. You can achieve this by talking to employees about the impact of security within their specific roles. If people know how their responsibilities can impact their brand, clients and colleagues, they will be more likely to take action.
You can also share real-life stories and examples which highlight the potential impacts of security lapses in a workplace context. Use relatable situations that employees can easily imagine themselves in. This could involve incidents within the industry or analogous scenarios that emphasise the impact on individuals and teams.
Another useful technique is to provide interactive training sessions which include role playing or gamified scenarios. You can also include relevant content in your internal communications channels. At ADP, we develop newsletters, for example, where we explore a variety of safety topics both in and outside of the workplace, such as keeping children safe online. The topics help educate employees on the importance of security in their lives and how they can protect themselves and others in different contexts.
It is equally important to have a well-defined communications strategy. You need to be able to make a judgment call on what, when and how much information to share with employees without causing unnecessary panic. You want your people to be ready, not scared.
5. Test, measure, repeat
Regularly measuring security performance is vital for a strong defence. This can involve daily assessments of attempted attacks and potential vulnerabilities, along with weekly or monthly reporting for a comprehensive overview.
Sharing reports regularly with various business units ensures stakeholders have a complete picture of the corporate risk landscape, fostering a culture of security awareness and responsiveness. Where appropriate, share updates with employees as well – at Town Halls or on your Intranet. The more they know, the more prepared they can be.
Conclusion
Mastering the CBSO role goes beyond technical skills—it demands continuous learning, staying informed about cybersecurity trends, and understanding organisational intricacies. This interconnected approach enables effective anticipation and mitigation of security impacts.
Continuous education is also vital for leaders, employees, and partners. Protecting a company’s assets and brand is a shared responsibility and as previously emphasised, the goal is to prepare your people, not instil fear. Implementing the strategies outlined here can help make a meaningful difference—it shouldn’t be a daunting task, but rather a collective effort achieved through small actions over time.