As we start a new year, let's think about how we can draw up a plan to exercise our cyber fitness and make it a culture that sticks. It's a critical time to get this done as we work toward a new era where we're breaking down silos, understanding the new ecosystem movement going forward and the edge computing phenomenon.
Communication, creativity, and empathy are crucial in shifting from what we call a "have-to" security mindset (i.e., "I have to take this precaution because IT said so") to a "want-to" mindset, which suggests employee buy-in to a company's security policy beyond simply ticking off a to-do box or watching a training video.
Key considerations include:
- Do we have top-down buy-in?
- Are expectations communicated effectively?
- Are we driving accountability?
- Have we formed a good CRUST (Credibility & Trust)?
When we say, "security culture" and "we have a positive security culture," what we perceive as security culture and what you think in your mind as security culture might be two very different things. The reason is our companies prioritize the accomplishment of security goals differently. Some basics involve patching and reducing the chances of being hit by phishing attacks, but the underlying reason why that happens differs among organizations. This article is intended to examine each of these questions and provide helpful tips for creating a culture of cybersecurity awareness.
Isn't security something we should all be thinking about, not just the CISOs? It's interesting how people don't want to think about it. They appoint somebody, give them a title, and then say that person is now responsible for making security happen. But the reality is, within any organization, doing the right thing -- whether that be security, keeping track of the money, or making sure that things are going the way you're expecting -- is a responsibility shared across the entire organization.
That's something that we are now becoming more accustomed to. The security space realizes it's not just about the security folks doing a good job. It's about enabling the entire organization to understand what's important to be more secure and making that as easy as possible.
There's an element of culture change and of improving the entire organization. What's causing these softer approaches -- behavior, culture, management, and attitude more important now? Is there something about security technology that has changed that makes us need to look at how people think? We're beginning to realize that technology is not going to solve all our problems.
So how do we create a top-down culture? The best recommendation would be to align business goals with good representation from multiple stakeholders, including the CEO, COO, IT Marketing, Finance, or business owner, depending on the size and structure of the firm.
Appointing a "fall person" for security would make it challenging to foster a cybersecurity-aware culture. Instead, identifying a lead such as a CISO, CIO, or security director and inspiring an organization-wide, strategically aligned program would promote the most significant outcome. At a minimum, form a small security committee represented by key stakeholders and empower the security leader to fully understand the business objectives and recommend the best protection methods.
Kick Start your Security Culture
Once we have buy-in, it's time to communicate. What good is a cybersecurity policy if the people expected to follow it do not understand who, what, why, and how? The idea of sticking with "the policy states" only goes so far. Policies should be developed with the audience in mind, covering:
- Purpose – why is the policy needed?
- Objective – state the goal/what we want to accomplish.
- Scope – what/who does the policy cover?
- Roles & responsibilities – who is responsible, and what are their duties?
- Penalties for non-compliance – why must the policy be followed?
To summarize – how will the effectiveness be measured? Understand baseline and encourage good behavior for reporting incidents
Everyone is accountable
Our primary goal in exercising cyber fitness is to raise awareness and understanding, measured by an increase in reported incidents and a decrease in actual events that are alleviated before they become incidents. It's essential to communicate the effectiveness and examples of accountability.
Some organizations utilize cybersecurity newsletters, while others make it a point to highlight via human resources or top-down communications. The key is to make it known that this is not another "mandatory training." It's the standard, and we all have a stake in it.
Don't burn the CRUST
CRUST = Credibility and Trust. If we take a step back and ask, why do we even care about the security conversation? Security is one of the foundations of trust. No matter what companies we work for, we have some customers, someone that we serve, and customers need trust to make this transaction functional. Hence, an effective and successful company has a trust established with its customers and, in essence, its employees.
At the end of the day, when we're talking about building security in our companies, we're talking about building trust with our customers. Even if we look at ourselves and our spending habits, how many of us would choose to give our credit-card data to a company that's regularly getting hacked or has poor architectural choices where we don't trust our personal information? We don't. Or most of the time, we don't.
This is the foundation of why we're even having this conversation. When we think about building security in our organizations, that may mean different things to each of you. That could mean better architectural choices, products, threat modeling, processes, and reporting. It's the cultural foundation of how we make security decisions in our organization.
We must have accountability at all levels, and consistency is key to maintaining credibility and trust. If you attempt to bake a pizza without setting a timer or constantly monitoring it, your chances of burning the crust will drastically increase. It's great to take a similar approach with your organization. Look for ways to get feedback from employees and keep an open door for communication. Share feedback with your security committee and adjust accordingly. Remember to celebrate good behavior, communicate, and demonstrate examples of accountability.
We are the firewall
What began with a question ends with a statement, "WE are the firewall." A culture built with top-down buy-in, accountability, and a good crust can be the foundation for employees to feel like they are part of something bigger and take pride in being the firewall. Though cybersecurity culture can sound intimidating, we can make headway as leaders now understand that the alternative threatens their bottom line.
As security becomes more integrated into businesses' day-to-day operations, we will continue to see a positive culture shift to reflect the common CISO phrase, "security is everyone's job." The ultimate protection against cyber threats is that of instilling an organizational culture that is 'cybersecurity ready,' and that is knowledgeable and prepared to mitigate the risks at all levels of its strategy and operations.