Top CSO Priority for 2023: Create a Strong Security Culture

Among CSOs, cybersecurity threats are well understood. What’s not as understood is the degree to which security is not just the job of IT or the security team, but the entire company. It’s a cliché, but it’s true: Security is only as strong as the weakest link. Ensuring strong security requires a strong security culture, from the C-Suite to every employee throughout the extended supply chain. For every CSO in 2023, creating and strengthening a culture of security has to be priority No. 1.

Lenovo has established a reputation among organizations — including most democratic governments — as a company with a strong security culture, where security is an integral part of the entire product lifecycle, beginning as early as the initial concept. Doug Fisher is Lenovo’s chief security officer, reporting directly to CEO Yang Yuanqing.

“The task starts in the executive suite,” Fisher said. “To effect real change, the CSO should report directly to the CEO and have a seat at the table. I’m held accountable to the audit committee of the board. It drives messages more efficiently. I have a seat at the table of executive staff and connections with the Board of Directors so I can educate the board and help them become advocates to drive the security agenda.”

Another key element is training. All it takes is a single employee clicking on the wrong link in a phishing email to give hackers access to the network and launch a devastating attack. Security training appropriate to every role must be mandatory.

“Everyone has to go through security training, and it must be a top priority,” Fisher said. “I’d send personal emails to people who didn’t take it. We’ve trained nearly 100% of the company, including contractors, so people understand their role. Anything less than that accepts an unacceptable level of cybersecurity risk.”

Access to corporate IT resources should also be a privilege that is predicated on good security practice, especially in this new world of work, where many employees are working outside of the confines of the corporate firewall. For security updates handled by each individual employee, such as updating the operating system of their laptops, the CSO should set a deadline by which everyone must adopt the latest version or lose access to the network.

Additionally, the CSO must implement a zero-trust policy regarding network connections. With internet connectivity a common feature of even mundane devices, nothing should connect to the network unless previously authorized to do so.

Finally, organizations and especially vendors must build a trusted, secure supply chain. Each supplier should undergo an audit to ensure they meet an appropriate level of security. At Lenovo, for instance, all suppliers of intelligent components and logistics providers are vetted, and all products are shipped in tamper-proof packaging.

Certainly, Lenovo has established itself as a strong example to other vendors when it comes to infusing security throughout the entire organization. But Fisher is not sitting still. There’s always room for improvement, especially when it comes to security.

“Security is one of our biggest advantages,” Fisher said. “People know our brand around the globe as a company that provides business security. And we do that through a strong security culture with a consistent, secure approach to developing and deploying products and services.”

To learn more about Lenovo’s commitment to building a security-focused culture, visit the company’s StoryHub.