While technology is an essential pillar of cybersecurity, it is the people that make the biggest difference. With a well-trained and experienced security team on the one hand and proactive personnel on the other, businesses can develop a sustainable, organization-wide security culture. How do we ensure the long-term success of the security culture at Kontent.ai, and how do we maintain its effectiveness?
We make our security culture the foundation of business success
Security culture refers to a set of security-related values, customs, and norms integrated into the behaviors of everyone within an organization. Embedding an effective security culture helps promote positive security practices among employees and creates a security-conscious environment essential to protecting data and employee and customer privacy.
To establish our security as a sustainable long-term solution, we made sure to have built its mission, vision, and strategy in line with our company culture and all the values that guide us professionally in mind. As a people-first organization, collaborating with others, trusting them, and caring for their opinions lie at our core. In addition, being ambitious and taking risks is also crucial for us as we always strive for success.
“After joining Kontent.ai, I quickly realized that the great atmosphere and culture is what excites people to work here, innovate and achieve outstanding results.”
How does our security culture reflect these values? We perceive security as a business enabler rather than a mere expense. The security goals align with our business goals as we always seek to care for and listen to our customers to benefit them as best as we can and establish trust with their enterprise security teams.
As we believe that people are the strongest link, we empower users to understand their responsibility. In order to do that, we work closely with the asset owners to promote their security awareness. Making security seamless and implementing effective controls to integrate security into day-to-day operations is another key element to protecting our assets.
In addition, we support taking reasonable risks; however, we make sure they’re always well-calculated. Each decision we make is based on the risk level and in line with our risk appetite to guarantee that our business keeps moving forward.
We’re not a “department of no”
Security teams might be labeled as the “departments of no” in many organizations, but that’s not what we stand for. Having reasonable controls in place and being systematic is still important; however, we don’t limit user behavior where the risk is low as we want to avoid blocking productivity or effectiveness.
Our security team provides informed advice but ultimately leaves the decision to the system or data owner. We seek to create an environment where the owners are well-informed about what’s at stake, and in parallel, escalation is always possible if necessary. Our policies are based on asset classification, where the highest ones receive the most rigorous attention. If facing a difficult decision, we take a step back, calculate the risk, and proceed accordingly.
Most importantly, our team is here to help and guide others through security best practices. Rather than always referring back to our policies, we explain, engage with other teams, and always seek to find relevant solutions to the issues in question.
We make security fun, meaningful and personal
Making security enjoyable might be challenging at times, but we’re on a mission to bring fun to the process by thinking outside the box. For us, security is much more than PowerPoints – instead, we’re utilizing gamification and competitiveness. What does that look like in practice?
Apart from hands-on training for all team members, we organize hackathons where the participants take on the attacker role to better understand their practices. This year, we also piloted a secure coding tournament with the mission to find the most flaws in the code. These initiatives help us safeguard our code in new ways by looking at it from different perspectives. In addition, we don’t stick to mandatory training – instead, our awareness training platform has an open library of courses with the possibility of earning medals and certificates.
To boost the cybersecurity awareness of our employees in a meaningful way, we run phishing campaigns. In these, our security team crafts and sends out messages that resemble real-life examples of targeted social engineering. These exercises help employees recognize the different forms attacks can take and prepare them to act in a more security-conscious manner.
We also make security personal. As we believe security should be a responsibility shared by all of us in our professional as well as personal lives, we provide free family licenses for the password management tool we use at Kontent.ai. This way, our employees can be the security ambassadors for their families and share the importance of positive security practices.
Lastly, we ensure that everyone within our organization is engaged and up-to-date by including security in our newsletters and other forms of communication. When it makes sense, we also ask for feedback regarding different decisions, such as choosing a new security tool, to ensure constant improvement.
Strong security culture cultivates proactivity
By elevating security culture to be the core of our security strategy, we ensure our people-first approach remains intact. The security team’s work is always in progress; however, it’s wonderful to see that the practices we already have in place are working. It’s exciting that more and more often, colleagues reach out to us, proactively thinking about ways to improve security and seeking advice on whether they’re approaching it in the right way.
In order to keep moving forward, we constantly trace, monitor, and measure everything we do. We also take in all the feedback on how to improve. Do you have any suggestions? We’re always listening to what you have to say, so feel free to let us know!