Engage users as people to take the IT out of security: J&J CSO
- — 18 November, 2013 14:10
The role of CSO is often seen as a technical one, but Johnson & Johnson (J&J) global manager for enterprise security and risk management Angela Coble has found that her people-focused background in sales and marketing has helped dramatically change perceptions of the security organisation.
Having started at J&J over four years ago in a compliance role, Coble rapidly moved into information security and ended up as CSO. It was “quite a leap from a marketing and sales environment into a fairly full-on security role,” she told attendees at the recent CSO Perspectives Roadshow in Sydney, “but I found that my marketing and sales background, and my ability to see both sides of the table, technical and people, actually helped translate some of the issues that I saw.”
“This helped me break through to the directors and talk to my technical teams, which was very, very important.”
Despite stereotypes that security staff are “a pretty boring bunch” and questions about why she had moved to the “dark side”, Coble said she had found the company's security staff were actually anything but what was the perception!
“My team are so customer focused, and they do a fantastic job keeping the lights on all the time,” she explained. “That is the main difference with my security team from others that I have seen: we have a corporate responsibility that transcends organisational boundaries.”
That realisation led to some interesting conversations with business leaders from various organisations at different levels, many of whom had often seen the IT and security teams as business inhibitors. However, when Coble talked to her previous colleagues in Marketing, she realised that the biggest challenge was one of perception. “My profession had always been seen as the ones that would halt the business moving forward because we weren't able to keep up with the innovations that were required to let the business grow,” she explained.
One theme to her advocacy of IT security has been to position training and education in an accessible way that employees could relate to; Coble uses her 12-year-old son, who “knows enough [about the Internet] to be dangerous but not enough to be safe,” as a touchstone when considering how to best position her security-related user outreach efforts.
Considering how such a young person used technology helped focus education efforts around increasingly popular bring-your-own-device (BYOD) programs, and reminded Coble frequently that “the traditional borders we had found ourselves working with just weren't there anymore.” “We've got a completely different set of rules,” she continued, “but the one constant, no matter how much the technology evolves, is the people in that relationship. So I decided to do something different: try to remove technology from the discussion piece, and start to talk about the people involved in the relationship itself.”
For example, a suite of engaging education videos – filmed using real members of the security team – has sought to remind users about the importance of issues such as physical device security or protecting intellectual property.
“If we could just tell our company, families, colleagues and the broader community to use a tougher password, we could stop a third of the successful attempts from hackers wanting to get to our personal or company data,” she said.
“It's not a hard message to sell, and it's actually quite simple to get across. I took the videos home and showed them to my children, and they actually got it. The minute you bring these messages down to the level they need to be, they're actually very easy to sell.”
Delivering that simplicity, however, can be difficult when CSOs are too focused on high-level relationships and negotiations. If they can take a step back and think of security from a human perspective, the education process – and, in turn, overall compliance – becomes far easier.
“You don't have to spend a fortune on creating all of these videos or documents,” she said. “The fact that we can develop a very technology-agnostic and dynamic solution with simple tools is probably the biggest message I can give. There is a whole host of information out there that will help you create this personal touch to your security education programs. If you don't, you will be lost in the technology.”