Cybersecurity professionals can get further in changing the mindset at their organizations by embracing the company’s culture rather than forcing security requirements, said David Nolan, vice president of information security at the lease-to-own retailer Aaron’s.
For example, if you work in an industry with a high risk tolerance to innovate or adopt new technologies, you’ll get nothing done by creating barriers and saying “no” all the time, said Nolan.
Listen to episode 30 of CISO Stories: “Achieving Security Buy-in: Change Approach, Not Culture”
“'Changing the culture;’ we’ve said that for years,” as the ultimate goal, Nolan said. “Really what I challenge my peers to do is really change your approach."
“And what you’ll be surprised at, and what I’ve experienced, is by changing your approach and your mindset, you actually do end up making a more secure culture without trying to forcibly change that culture of the company.”
Nolan shared his experience during the CISO Stories podcast with Todd Fitzgerald, vice president of cybersecurity strategy at the Cybersecurity Collaborative. In addition to Aaron’s, Nolan has held information technology positions at State Farm Insurance and the CIA.