Does this sound familiar?
My company does what it can with security and is compliant, we have no breaches so far.
The problem is that the security team knows we can get breached, in fact we likely already have. But fortunately nothing has been overtly accomplished (as far as we can tell) by the hackers.
In the meantime the sales, marketing, customer service, and production department are running their operations as normally as possible. Security is not on the radar. What everyone is thinking about is doing their jobs, selling, paperwork, customer service, and more (not security).
Every now and then the IT security people require a new password or upgrades of this and that, but there is no checks and balances.
The problem is no incentives for higher security.
What can we create to give incentives for people to be more secure in general?
We can create a testing team (called a red team) to look into hacking our company with permission.
We can give incentives to the red team for successfully hacking with a public report of how it happened (by public I mean within the company only).
This is a risky proposition, giving the red team this capability makes people think not just about their jobs but also about security. Oh wait a sec that’s a good thing.