March 6, 2017 By Christophe Veltsos 4 min read


“Cybersecurity must accommodate and address the needs of people through process and cultural change.” — Gartner press release dated June 6, 2016

The term layer 8 is often used pejoratively by IT professionals to refer to employees’ lack of awareness and a weak overall cybersecurity culture. While organizations continue to purchase and deploy technical controls, not much has been done to focus on the human side of cybersecurity. Today, it is just as important to secure human assets — layer 8 — as it to secure layers 1 through 7.

Don’t fall into a false sense of comfort thinking that your technical controls alone can keep you safe. According to Gartner, “Advanced targeted attacks are easily bypassing traditional firewalls and signature-based prevention mechanisms.” So how do we bring humans back into the security loop?

Building a Cybersecurity Culture

To create a culture of cybersecurity, it helps to have a good idea of what such a culture would look like.

“Cybersecurity culture is making sure that users — top to bottom, right to left — [are] keeping cybersecurity in their thought process no matter what they’re doing in the IT world,” Rod Turk, acting deputy chief information officer (CIO) at the U.S. Department of Commerce, told GCN. “It applies to management; it applies to development and systems. Keeping cybersecurity in mind also means looking down the road and identifying when you may be ripe for a phishing attack.”

Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), an outfit whose mission is to nurture a culture of cybersecurity and privacy, echoed those sentiments.

“Everyone at work plays an essential role in protecting the company and its sensitive data,” Kaiser said. “It’s crucial to educate your staff about how to use the internet safely at work and at home, and to continually remind them of the importance of protecting organizational and personal information.”

Fine-Tuning the Layer 8

How should a culture of cybersecurity be developed and fostered? According to The Wall Street Journal, IT teams should undertake four key efforts with support from the very top levels of the organization:

  1. Embed cybersecurity throughout business processes instead of restricting it to one function.
  2. Encourage collaboration between different departments and areas of the business.
  3. Promote shared responsibility.
  4. Empower employees to learn and develop.

Antivirus company Avast outlined some advice to help organizations improve their cybersecurity culture. One recommendation is to ensure adequate focus on individual responsibility and spread awareness about the vital role everyone plays in cybersecurity. To create a culture of security, companies must address the need to:

  • Educate employees on how the cybersecurity dots are connected to the organization’s ability to achieve its business objectives and avoid fines, loss of business, loss of brand reputation and possibly layoffs.
  • Form security awareness allies, including supporters from across the organization, not just the security team.
  • Empower employees to own their efforts in protecting data within the organization.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

Awareness and Accountability

Together, these efforts form a strong bond, connecting employees with the impacts of their actions, promoting accountability and supporting efforts to gain awareness allies throughout the organization.

“Our employees should completely understand that they play a critical role in the protection of our systems, data and, ultimately, the company,” Steve Martino, vice president and chief information security officer (CISO) at Cisco, wrote on the company’s blog.

He also compared a successful cybersecurity culture to guardrails along a road. The guardrails don’t block traffic — i.e., prevent employees from generating value for the business — but they do help steer drivers away from security “cliffs.”

Martino’s advice to improve cybersecurity culture among employees consisted of three clear steps:

  1. Educate them.
  2. Test them.
  3. Make them accountable.

Let’s go through each of these points in turn. Many organizations today would argue that they have been educating their workforce, in some cases for decades. When it comes to testing the workforce, though, many top leaders still refuse to sign off on conducting phishing tests or performing red team engagements. Is it because they don’t want to ruffle the feathers of their workforce, or is it because they would rather not know how poorly their employees might score?

As for holding them accountable, a leader doesn’t need a Ph.D. in business administration to know that without accountability, it is nearly impossible to get employees to abide by company policies. However, IT leaders must be careful not to publicly shame employees who fall for well-crafted social engineering scams. Instead, they should alert offending employees’ direct supervisors and provide guidance on how to quickly and tactfully address the problem.

Culture Changes Takes Time

Lest we might think the concept of security culture is a new phenomenon, here is a quote from 2003 delivered by former Federal Trade Commission (FTC) Commissioner Orson Swindle in prepared remarks for the Committee on Energy and Commerce of the U.S. House of Representatives: “The critical lesson in this information-based economy is that we are all in this together: government, private industry and consumers, and we must all take appropriate steps to create a culture of security.”

While these words ring as true today as they did back in 2003, our world has changed. The Deloitte University Press noted that the “new world of work changes the way we engage people” and that “employees’ motivations have changed” compared to previous generations. Our approach to developing a culture of cybersecurity must match the times we live in.

Security doesn’t stop at layer 7 — it never did. It’s time to shore up layer 8, because deep down we know that cybersecurity is immeasurably critical to the well-being of any organization. We can’t afford to wait another decade to bring about a culture shift.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today