March 6, 2017 By Christophe Veltsos 4 min read

“Cybersecurity must accommodate and address the needs of people through process and cultural change.” — Gartner press release dated June 6, 2016

The term layer 8 is often used pejoratively by IT professionals to refer to employees’ lack of awareness and a weak overall cybersecurity culture. While organizations continue to purchase and deploy technical controls, not much has been done to focus on the human side of cybersecurity. Today, it is just as important to secure human assets — layer 8 — as it to secure layers 1 through 7.

Don’t fall into a false sense of comfort thinking that your technical controls alone can keep you safe. According to Gartner, “Advanced targeted attacks are easily bypassing traditional firewalls and signature-based prevention mechanisms.” So how do we bring humans back into the security loop?

Building a Cybersecurity Culture

To create a culture of cybersecurity, it helps to have a good idea of what such a culture would look like.

“Cybersecurity culture is making sure that users — top to bottom, right to left — [are] keeping cybersecurity in their thought process no matter what they’re doing in the IT world,” Rod Turk, acting deputy chief information officer (CIO) at the U.S. Department of Commerce, told GCN. “It applies to management; it applies to development and systems. Keeping cybersecurity in mind also means looking down the road and identifying when you may be ripe for a phishing attack.”

Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), an outfit whose mission is to nurture a culture of cybersecurity and privacy, echoed those sentiments.

“Everyone at work plays an essential role in protecting the company and its sensitive data,” Kaiser said. “It’s crucial to educate your staff about how to use the internet safely at work and at home, and to continually remind them of the importance of protecting organizational and personal information.”

Fine-Tuning the Layer 8

How should a culture of cybersecurity be developed and fostered? According to The Wall Street Journal, IT teams should undertake four key efforts with support from the very top levels of the organization:

  1. Embed cybersecurity throughout business processes instead of restricting it to one function.
  2. Encourage collaboration between different departments and areas of the business.
  3. Promote shared responsibility.
  4. Empower employees to learn and develop.

Antivirus company Avast outlined some advice to help organizations improve their cybersecurity culture. One recommendation is to ensure adequate focus on individual responsibility and spread awareness about the vital role everyone plays in cybersecurity. To create a culture of security, companies must address the need to:

  • Educate employees on how the cybersecurity dots are connected to the organization’s ability to achieve its business objectives and avoid fines, loss of business, loss of brand reputation and possibly layoffs.
  • Form security awareness allies, including supporters from across the organization, not just the security team.
  • Empower employees to own their efforts in protecting data within the organization.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

Awareness and Accountability

Together, these efforts form a strong bond, connecting employees with the impacts of their actions, promoting accountability and supporting efforts to gain awareness allies throughout the organization.

“Our employees should completely understand that they play a critical role in the protection of our systems, data and, ultimately, the company,” Steve Martino, vice president and chief information security officer (CISO) at Cisco, wrote on the company’s blog.

He also compared a successful cybersecurity culture to guardrails along a road. The guardrails don’t block traffic — i.e., prevent employees from generating value for the business — but they do help steer drivers away from security “cliffs.”

Martino’s advice to improve cybersecurity culture among employees consisted of three clear steps:

  1. Educate them.
  2. Test them.
  3. Make them accountable.

Let’s go through each of these points in turn. Many organizations today would argue that they have been educating their workforce, in some cases for decades. When it comes to testing the workforce, though, many top leaders still refuse to sign off on conducting phishing tests or performing red team engagements. Is it because they don’t want to ruffle the feathers of their workforce, or is it because they would rather not know how poorly their employees might score?

As for holding them accountable, a leader doesn’t need a Ph.D. in business administration to know that without accountability, it is nearly impossible to get employees to abide by company policies. However, IT leaders must be careful not to publicly shame employees who fall for well-crafted social engineering scams. Instead, they should alert offending employees’ direct supervisors and provide guidance on how to quickly and tactfully address the problem.

Culture Changes Takes Time

Lest we might think the concept of security culture is a new phenomenon, here is a quote from 2003 delivered by former Federal Trade Commission (FTC) Commissioner Orson Swindle in prepared remarks for the Committee on Energy and Commerce of the U.S. House of Representatives: “The critical lesson in this information-based economy is that we are all in this together: government, private industry and consumers, and we must all take appropriate steps to create a culture of security.”

While these words ring as true today as they did back in 2003, our world has changed. The Deloitte University Press noted that the “new world of work changes the way we engage people” and that “employees’ motivations have changed” compared to previous generations. Our approach to developing a culture of cybersecurity must match the times we live in.

Security doesn’t stop at layer 7 — it never did. It’s time to shore up layer 8, because deep down we know that cybersecurity is immeasurably critical to the well-being of any organization. We can’t afford to wait another decade to bring about a culture shift.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today