Building a security-first culture is as important for cybersecurity as investing in the right tech or creating and enforcing the right policies.
Defense systems cannot provide 100% of the security organizations need as long as individual employees are making decisions about what to click on, who to trust and, at the leadership levels, where and how much to invest in security. This is especially true with the rise in remote work.
How to Make Security Important to Everyone
What is security culture?
It’s a set of ideas, habits and social behaviors that lead people to make choices in their everyday work that enhances, rather than threatens, the company’s cybersecurity. While “culture” sounds vague and soft, it’s really the best trainable guide for action. It’s a framework for making security important to everyone in the group.
The importance of security consciousness cannot be overstated. The benefits of a solid security culture mean employees will report, rather than click on, suspicious links sent via email or text. They’ll embrace, rather than circumvent, secure systems and safety protocols. They’ll engage freely with IT staff when unsure, confused or needing help, rather than stay silent.
Senior leaders will bring security teams in on projects early out of a spirit of mutual benefit, rather than at the last minute out of a spirit of suspicion or distrust. And, business leaders will make decisions based on clearheaded intent to protect the organization’s assets, rather than mistaken notions that cutting security will improve the organization’s finances.
Unfortunately, nine out of 10 organizations do not have the security culture they want in their organizations, according to an ISACA/CMMI Institute Cybersecurity Culture Report conducted two years ago.
What is a Cybersecurity Mindset?
Security is part of every employee’s job description in fact or in spirit. But, how do you make sure every person keeps that in mind?
The answer, in a nutshell, is smart messaging, training and leadership. Here are the 10 elements of a new and effective culture of security in your organization.
Security Culture Framework: Goals
Forget about awareness training. The first step is to set specific goals. Goals are qualitative and high level (as opposed to objectives, which are quantitative and measurable). These goals should be publicized, and will serve not only as guides for creating objectives, but also as inspiration and talking points for the conversion to come.
The business adage ‘if you can’t measure it, you can’t improve it’ holds in the creation of a security-first culture as much as any other aspect of business. Objectives should be measured in both quantity and in time. They need a deadline, or a point, each year when an assessment can be made.
These objectives may include compliance with specific rules, a reduction in financial losses, specific metrics around employees passing tests, reduction in data loss incidents and others. In addition, they take into account any and all practical objectives with deadlines that support the group’s goals.
Cybersecurity awareness training is often either put off until a tomorrow that never comes or is scheduled too infrequently, like annually. Make it more frequent, with different sessions focusing on different dimensions of awareness to create a lasting mindset.
Attack simulations in particular and gamification in general are great ways to really drive home the realities of cybersecurity. It’s the next best thing to really suffering a major attack for raising awareness. You can also create healthy competition between different teams to engage people.
Formal training sessions are just the “big events” of security awareness. Messages from leadership and management should also carry updates and reminders about the need for all-day, everyday vigilance. Keep it simple, basic and devoid of technical jargon.
A security-first culture demands open communication. And conveying concepts well requires the right words. Security awareness training should emphasize the language of security, especially the language of phishing attack types. By learning the words, employees become aware of the techniques.
Security awareness should also be a core part of new-employee onboarding. New employees should understand from the start that part of their job will be to work in an active culture of cybersecurity.
A sense of empowerment for every employee is part of a culture of security awareness, too. The knowledge that every employee can help make or break the organization’s security posture should be foremost in everyone’s mind. On the flip side, a lack of it makes people complacent. Empower employees to take action.
Some problems are created by errors by everyday employees that may seem like they have no connection to digital risk. So, it’s important that a culture of security recognizes this and develops training for avoiding or catching errors in general.
Leaders Model Putting Security First
A culture of security means C-level executives understand that digital safety is a business challenge and a business opportunity, not a technical problem for the nerds to solve.
Leaders can signal the importance of everyday cybersecurity as a strategic goal. All aspects of leadership come into play in creating a security-first culture. Expressing concepts clearly, leading by example, rewarding and promoting the right behaviors are what leadership is all about. Leaders can drive culture change in cybersecurity just like in other aspects of business.
I write a popular weekly column for Computerworld, contribute news analysis pieces for Fast Company, and also write special features, columns and think piece...