When a data breach occurs, one of the first things business leaders tend to think about is who or what to blame. This can be a difficult question to answer, in which case the blame will likely shift throughout the organization as leaders, employees, and departments point the finger at one another, often without any solid evidence. If that situation sounds familiar, then you might have a serious problem with accountability in your company.
Maintaining a culture of accountability is essential for upholding compliance with the DFARS 252.204-7012 clause which governs the safeguarding of information pertaining to the US DoD. The clause aligns with the globally recognized NIST 800-171 information security framework, and compliance is mandatory for any organization that is, or seeks to become, part of the US Defense Industrial Base.
What is accountability?
Technical security measures have come a long way in recent years, but the threat landscape has also evolved. One thing that has never changed, however, is that no amount of technical controls alone can keep a company safe. While the DFARS 252.204-7012 clause, which aligns with the NIST 800-171 standard, defines a robust baseline for security, the ability to maintain and enforce these controls requires an organization-wide culture change.
Accountability is a key element of any organization that has achieved a high level of security maturity. Accountability means that everyone in the company must own the responsibility to keep the organization and its data, employees, and clients safe. It means people will be held responsible for their own actions but, at the same time, are unafraid of reporting suspicious incidents and behaviors. This gives security teams a chance to tackle them before they have far-reaching consequences.
Leaders must lead by example
Any organization-wide culture change begins at the leadership level, not least because leaders are themselves a favorite target for attackers owing to the wealth of valuable information they have access to. After all, it hardly looks good if an executive-level employee falls victim to a social engineering scam.
Leaders have the responsibility to instill the fact that security belongs to everyone, and that it is not just the domain of a dedicated IT department. Thus, leaders must also hold themselves accountable and lead by example to encourage everyone else on the team to feel like security people themselves.
Training must apply to everyone
Since information security is everyone’s responsibility, it is only reasonable that training should be compulsory for everyone on the team. While more ambitious attackers might go after high-level employees, opportunists looking for easy pickings often go after low-ranking employees who they likely perceive as being poorly prepared.
Training programs should be engaging and ongoing to keep teams up to date with the latest threats and continuously build up a culture of accountability. Having a team-driven experience with hands-on training and virtual labs can also help make training programs more rewarding, especially if they contain content that is relevant to employees’ personal lives as well.
Related article: Why Security Awareness Training Should Be in Your IT Budget
Close collaboration is essential
A siloed organization, where different departments are either unwilling or unable to share data is especially bad for accountability. Organizational silos typically arise when a company has a lack of strong leadership and fails to encourage strong interdepartmental teamwork. This is bad news not only for productivity, but also for security, as it can lead to an endless cycle of finger-pointing if something goes wrong.
Maintaining high accountability standards requires transparency throughout the organization. Employees should not be afraid to call out suspicious behavior, and neither should they feel afraid to admit their own mistakes. By fostering a collaborative environment, it will be much easier to mitigate potential security threats before they cause serious problems.
Incentives help promote accountability
While everyone should be accountable for their efforts to protect the organization, the fact is that, to the average person, cybersecurity is hardly ‘fun’ or ‘interesting’. However, it does not have to be this way. Leaders should look for opportunities to celebrate success and, above all, they must communicate the fact that maintaining strong cybersecurity accountability and hygiene is not all about the needs of the business. Raising awareness and creating a security-first company culture will also be beneficial to your employees’ personal and professional lives.
To incentivize cybersecurity training and accountability, leaders should focus on engaging learning activities, such as hands-on phishing simulations that are immediately relevant to employee’s everyday activities. They should also consider adding some fun into the mix with gamification, and by rewarding the best performers with greater recognition for their efforts.
Charles IT provides a combination of comprehensive audits, technology solutions, and human expertise to help you meet the demands of DFARS compliance. Call us today to schedule an assessment.