How company culture can help, rather than hinder, safety programs

Cybersecurity professionals can go the extra mile in changing the mindset of their organizations by embracing company culture rather than imposing security requirements, said David Nolan, vice president of security information at hire-purchase retailer Aaron’s.

For example, if you’re working in an industry with a high risk tolerance for innovating or adopting new technologies, you won’t get anything by creating barriers and saying “no” all the time, Nolan said.

Listen to CISO Stories Episode 30: “Achieving Adherence to Security: Changing the Approach, Not the Culture”

“’Changing the culture;’ we’ve been saying it for years,” as the ultimate goal, Nolan said. “In reality, what I challenge my peers to do is to really change your approach.”

“And what will surprise you, and what I’ve experienced, is that by changing your approach and your mindset, you end up creating a safer culture without trying to forcibly change that culture of business.”

Nolan shared his experience during the CISO Stories podcast with Todd Fitzgerald, vice president of cybersecurity strategy at Cybersecurity Collaborative. In addition to Aaron, Nolan has held information technology positions at State Farm Insurance and the CIA.