“Cybersecurity must accommodate and address the needs of people through process and cultural change.” — Gartner press release dated June 6, 2016

The term layer 8 is often used pejoratively by IT professionals to refer to employees’ lack of awareness and a weak overall cybersecurity culture. While organizations continue to purchase and deploy technical controls, not much has been done to focus on the human side of cybersecurity. Today, it is just as important to secure human assets — layer 8 — as it to secure layers 1 through 7.

Don’t fall into a false sense of comfort thinking that your technical controls alone can keep you safe. According to Gartner, “Advanced targeted attacks are easily bypassing traditional firewalls and signature-based prevention mechanisms.” So how do we bring humans back into the security loop?

Building a Cybersecurity Culture

To create a culture of cybersecurity, it helps to have a good idea of what such a culture would look like.

“Cybersecurity culture is making sure that users — top to bottom, right to left — [are] keeping cybersecurity in their thought process no matter what they’re doing in the IT world,” Rod Turk, acting deputy chief information officer (CIO) at the U.S. Department of Commerce, told GCN. “It applies to management; it applies to development and systems. Keeping cybersecurity in mind also means looking down the road and identifying when you may be ripe for a phishing attack.”

Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), an outfit whose mission is to nurture a culture of cybersecurity and privacy, echoed those sentiments.

“Everyone at work plays an essential role in protecting the company and its sensitive data,” Kaiser said. “It’s crucial to educate your staff about how to use the internet safely at work and at home, and to continually remind them of the importance of protecting organizational and personal information.”

Fine-Tuning the Layer 8

How should a culture of cybersecurity be developed and fostered? According to The Wall Street Journal, IT teams should undertake four key efforts with support from the very top levels of the organization:

  1. Embed cybersecurity throughout business processes instead of restricting it to one function.
  2. Encourage collaboration between different departments and areas of the business.
  3. Promote shared responsibility.
  4. Empower employees to learn and develop.

Antivirus company Avast outlined some advice to help organizations improve their cybersecurity culture. One recommendation is to ensure adequate focus on individual responsibility and spread awareness about the vital role everyone plays in cybersecurity. To create a culture of security, companies must address the need to:

  • Educate employees on how the cybersecurity dots are connected to the organization’s ability to achieve its business objectives and avoid fines, loss of business, loss of brand reputation and possibly layoffs.
  • Form security awareness allies, including supporters from across the organization, not just the security team.
  • Empower employees to own their efforts in protecting data within the organization.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

Awareness and Accountability

Together, these efforts form a strong bond, connecting employees with the impacts of their actions, promoting accountability and supporting efforts to gain awareness allies throughout the organization.

“Our employees should completely understand that they play a critical role in the protection of our systems, data and, ultimately, the company,” Steve Martino, vice president and chief information security officer (CISO) at Cisco, wrote on the company’s blog.

He also compared a successful cybersecurity culture to guardrails along a road. The guardrails don’t block traffic — i.e., prevent employees from generating value for the business — but they do help steer drivers away from security “cliffs.”

Martino’s advice to improve cybersecurity culture among employees consisted of three clear steps:

  1. Educate them.
  2. Test them.
  3. Make them accountable.

Let’s go through each of these points in turn. Many organizations today would argue that they have been educating their workforce, in some cases for decades. When it comes to testing the workforce, though, many top leaders still refuse to sign off on conducting phishing tests or performing red team engagements. Is it because they don’t want to ruffle the feathers of their workforce, or is it because they would rather not know how poorly their employees might score?

As for holding them accountable, a leader doesn’t need a Ph.D. in business administration to know that without accountability, it is nearly impossible to get employees to abide by company policies. However, IT leaders must be careful not to publicly shame employees who fall for well-crafted social engineering scams. Instead, they should alert offending employees’ direct supervisors and provide guidance on how to quickly and tactfully address the problem.

Culture Changes Takes Time

Lest we might think the concept of security culture is a new phenomenon, here is a quote from 2003 delivered by former Federal Trade Commission (FTC) Commissioner Orson Swindle in prepared remarks for the Committee on Energy and Commerce of the U.S. House of Representatives: “The critical lesson in this information-based economy is that we are all in this together: government, private industry and consumers, and we must all take appropriate steps to create a culture of security.”

While these words ring as true today as they did back in 2003, our world has changed. The Deloitte University Press noted that the “new world of work changes the way we engage people” and that “employees’ motivations have changed” compared to previous generations. Our approach to developing a culture of cybersecurity must match the times we live in.

Security doesn’t stop at layer 7 — it never did. It’s time to shore up layer 8, because deep down we know that cybersecurity is immeasurably critical to the well-being of any organization. We can’t afford to wait another decade to bring about a culture shift.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…