“Cybersecurity must accommodate and address the needs of people through process and cultural change.” — Gartner press release dated June 6, 2016

The term layer 8 is often used pejoratively by IT professionals to refer to employees’ lack of awareness and a weak overall cybersecurity culture. While organizations continue to purchase and deploy technical controls, not much has been done to focus on the human side of cybersecurity. Today, it is just as important to secure human assets — layer 8 — as it to secure layers 1 through 7.

Don’t fall into a false sense of comfort thinking that your technical controls alone can keep you safe. According to Gartner, “Advanced targeted attacks are easily bypassing traditional firewalls and signature-based prevention mechanisms.” So how do we bring humans back into the security loop?

Building a Cybersecurity Culture

To create a culture of cybersecurity, it helps to have a good idea of what such a culture would look like.

“Cybersecurity culture is making sure that users — top to bottom, right to left — [are] keeping cybersecurity in their thought process no matter what they’re doing in the IT world,” Rod Turk, acting deputy chief information officer (CIO) at the U.S. Department of Commerce, told GCN. “It applies to management; it applies to development and systems. Keeping cybersecurity in mind also means looking down the road and identifying when you may be ripe for a phishing attack.”

Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), an outfit whose mission is to nurture a culture of cybersecurity and privacy, echoed those sentiments.

“Everyone at work plays an essential role in protecting the company and its sensitive data,” Kaiser said. “It’s crucial to educate your staff about how to use the internet safely at work and at home, and to continually remind them of the importance of protecting organizational and personal information.”

Fine-Tuning the Layer 8

How should a culture of cybersecurity be developed and fostered? According to The Wall Street Journal, IT teams should undertake four key efforts with support from the very top levels of the organization:

  1. Embed cybersecurity throughout business processes instead of restricting it to one function.
  2. Encourage collaboration between different departments and areas of the business.
  3. Promote shared responsibility.
  4. Empower employees to learn and develop.

Antivirus company Avast outlined some advice to help organizations improve their cybersecurity culture. One recommendation is to ensure adequate focus on individual responsibility and spread awareness about the vital role everyone plays in cybersecurity. To create a culture of security, companies must address the need to:

  • Educate employees on how the cybersecurity dots are connected to the organization’s ability to achieve its business objectives and avoid fines, loss of business, loss of brand reputation and possibly layoffs.
  • Form security awareness allies, including supporters from across the organization, not just the security team.
  • Empower employees to own their efforts in protecting data within the organization.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

Awareness and Accountability

Together, these efforts form a strong bond, connecting employees with the impacts of their actions, promoting accountability and supporting efforts to gain awareness allies throughout the organization.

“Our employees should completely understand that they play a critical role in the protection of our systems, data and, ultimately, the company,” Steve Martino, vice president and chief information security officer (CISO) at Cisco, wrote on the company’s blog.

He also compared a successful cybersecurity culture to guardrails along a road. The guardrails don’t block traffic — i.e., prevent employees from generating value for the business — but they do help steer drivers away from security “cliffs.”

Martino’s advice to improve cybersecurity culture among employees consisted of three clear steps:

  1. Educate them.
  2. Test them.
  3. Make them accountable.

Let’s go through each of these points in turn. Many organizations today would argue that they have been educating their workforce, in some cases for decades. When it comes to testing the workforce, though, many top leaders still refuse to sign off on conducting phishing tests or performing red team engagements. Is it because they don’t want to ruffle the feathers of their workforce, or is it because they would rather not know how poorly their employees might score?

As for holding them accountable, a leader doesn’t need a Ph.D. in business administration to know that without accountability, it is nearly impossible to get employees to abide by company policies. However, IT leaders must be careful not to publicly shame employees who fall for well-crafted social engineering scams. Instead, they should alert offending employees’ direct supervisors and provide guidance on how to quickly and tactfully address the problem.

Culture Changes Takes Time

Lest we might think the concept of security culture is a new phenomenon, here is a quote from 2003 delivered by former Federal Trade Commission (FTC) Commissioner Orson Swindle in prepared remarks for the Committee on Energy and Commerce of the U.S. House of Representatives: “The critical lesson in this information-based economy is that we are all in this together: government, private industry and consumers, and we must all take appropriate steps to create a culture of security.”

While these words ring as true today as they did back in 2003, our world has changed. The Deloitte University Press noted that the “new world of work changes the way we engage people” and that “employees’ motivations have changed” compared to previous generations. Our approach to developing a culture of cybersecurity must match the times we live in.

Security doesn’t stop at layer 7 — it never did. It’s time to shore up layer 8, because deep down we know that cybersecurity is immeasurably critical to the well-being of any organization. We can’t afford to wait another decade to bring about a culture shift.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…