How common is it for the security team to be in a meeting, discussing all the security risks and gaps but with little ability to make any change? This is because the people who can make the decision aren't at the table. Despite all the frequent press about security breaches at companies around the world, organisations are struggling to change how they think about security.
I previously blogged about creating a community of practice to develop our skills with Amazon Web Services (AWS). This mostly attracted software engineers who were keen to develop new skills but is also needed by the business to build and run the company’s growing infrastructure.
At the same time, we also formed a community of practice for security. This was open to anyone in the business who wanted to learn more about information security. With the focus on learning, the community attracted staff from Support, Sales, Product, and Engineering.
The kick-off involved brainstorming what information security is; what are some of the threats to the business; and what are some of the things we could do to improve how we protect client information. The level of knowledge and understanding varied considerably, but everyone participated, learned something and we grew closer to a common understanding.
The first project the community will undertake is password management and rolling out Lastpass to all staff. The community is putting together a presentation on the importance of strong passwords and instructions on how to use Lastpass. A competition between departments will provide further motivation, with emails during the week on the more advanced features, all of which increase the chance of winning the prize. Last but not least, the community is helping people in their teams, one-on-one, improve their security understanding and behaviour.
There are no policies, no risk register reviews, no meeting agendas and no minutes...at least not yet. Instead, we have company-wide engagement and motivated staff who can drive incremental changes across the business.
This post was written by David Chatterton, CTO of MedAdvisor.