Today’s dependence on technology demands the need for security. A quick scan of the news provides details on latest the breach of the day – yet another tale of how a hacker was able to bypass an organization’s security layers to gain access to customer data.
Protecting your organization’s assets involves more than emphasizing cyber hygiene or the set and forget of tools and technology. You need a culture that embraces cybersecurity, a culture that makes cybersecurity top of mind among all your employees, top to bottom. Employee behavior plays a critical role in an organization’s cyber resiliency since most breaches are caused by human error. With nearly three-quarters of data breaches involving error, privilege misuse, use of stolen credentials or social engineering, it’s clear that organizations need to address not just the technology element, but also the human element when building a cybersecurity culture.
What defines a cybersecurity culture? What does it look like?
Every organization has a security culture, the question is whether yours is healthy or unhealthy. A healthy cybersecurity culture is holistic and includes cyber hygiene, tools, and security awareness. Getting there means diving into the values that drive how people should think about and approach security within an organization. These values are shaped by the goals, structure, policies, processes, and leadership of the organization. A healthy, effective cybersecurity culture is one in which every person – top to bottom of the company – values cybersecurity and is motivated to make it better. They get why it’s important and see themselves as part of the solution. Fostering a strong cybersecurity culture ensures that employees are aware of the risks and understand how to respond to or report such risks.
Developing the right culture is a continuous process
Culture shifts start from the top – leadership action more than speeches set the tone. When the C-suite and directors role model transparency, accountability and cyber smarts in their own practices, it manifests across the entire company. Culture is the goal, not a simple step. You don’t just flip a switch to change a culture to develop the right behaviors around cybersecurity – it’s a process that gets baked into your organization.
As your team embarks on creating real, long-lasting change in developing a cybersecurity culture, be sure it includes:
- Organizational buy-in that starts at the top. Ensure senior leadership is committed to cybersecurity and sets a strong example. Your leadership team should actively promote and support cybersecurity initiatives, promoting and embracing policies and processes.
- Develop clear and comprehensive security polices, guidelines and best practices and make sure they are updated and communicated regularly.
- Encourage reporting of security concerns including simple reporting of incidents. Create an environment where employees feel comfortable reporting concerns without fear of reprisal.
- Regularly test your incident response plan, ensuring that all employees know how to report security incidents, with clear steps for containment and recovery.
- Make sure your drills and exercises include social engineering awareness training. Train staff to recognize and resist tactics such as phishing, baiting and tailgating, and exercises that simulate real-world threats to test your organization’s readiness.
- Maintain open lines of communication about cybersecurity matters.
- Celebrate successes including rewards and positive reinforcement to maintain a strong culture.
- Make security fun and engaging. Consider gamification of monthly trainings or other lighthearted features so people won’t roll their eyes at the thought of yet another security training.
- Extend culture beyond the workplace. Encourage discussion of good security habits at home to protect families as well. A security-aware culture should translate beyond the workplace. Provide resources and training for families of employees.
- Communicate transparently especially around incidents. Breach notifications to customers should extend internally too. Discuss outage root causes without blame or punishment. Learn from incidents through updated controls rather than instill fear.
CyberOne Viewpoint:
We cannot overstate the foundational importance of human-centric security. Technical controls will fail without an organizational culture that makes cyber risks everyone’s responsibility. Many boards continue grappling to motivate employee behaviors amid rapid digitization. At CyberOne, we guide clients to invest in their people first through policies that empower and educate, backed by resilient systems that support the business.
In summary, building a robust cybersecurity culture requires a multilayered approach with buy-in across the organization. It’s an ongoing initiative that requires constant reinforcement through policies, training, and leadership exemplification. By making security second nature to staff, you vastly improve resilience against cyber threats. The human layer is the first line of defense for any organization.
About the Author
Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow, where he provides security architecture design and leadership management for customers across the country. Allen was President of the South Texas ISSA chapter, and he holds certifications in SABSA Security Architecture, CISSP, CISA, and Six Sigma. Previous roles include time at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the Practice Lead for developing Security Operations programs for ArcSight SIEM products. Allen was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. He has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Allen is based in Houston, TX and earned a degree in Management Information Systems from Texas A&M University.
