Building a Cybersecurity Culture Around Layer 8

“Cybersecurity must accommodate and address the needs of people through process and cultural change.” — Gartner press release dated June 6, 2016

The term layer 8 is often used pejoratively by IT professionals to refer to employees’ lack of awareness and a weak overall cybersecurity culture. While organizations continue to purchase and deploy technical controls, not much has been done to focus on the human side of cybersecurity. Today, it is just as important to secure human assets — layer 8 — as it to secure layers 1 through 7.

Don’t fall into a false sense of comfort thinking that your technical controls alone can keep you safe. According to Gartner, “Advanced targeted attacks are easily bypassing traditional firewalls and signature-based prevention mechanisms.” So how do we bring humans back into the security loop?

Building a Cybersecurity Culture

To create a culture of cybersecurity, it helps to have a good idea of what such a culture would look like.

“Cybersecurity culture is making sure that users — top to bottom, right to left — [are] keeping cybersecurity in their thought process no matter what they’re doing in the IT world,” Rod Turk, acting deputy chief information officer (CIO) at the U.S. Department of Commerce, told GCN. “It applies to management; it applies to development and systems. Keeping cybersecurity in mind also means looking down the road and identifying when you may be ripe for a phishing attack.”

Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), an outfit whose mission is to nurture a culture of cybersecurity and privacy, echoed those sentiments.

“Everyone at work plays an essential role in protecting the company and its sensitive data,” Kaiser said. “It’s crucial to educate your staff about how to use the internet safely at work and at home, and to continually remind them of the importance of protecting organizational and personal information.”

Fine-Tuning the Layer 8

How should a culture of cybersecurity be developed and fostered? According to The Wall Street Journal, IT teams should undertake four key efforts with support from the very top levels of the organization:

  1. Embed cybersecurity throughout business processes instead of restricting it to one function.
  2. Encourage collaboration between different departments and areas of the business.
  3. Promote shared responsibility.
  4. Empower employees to learn and develop.

Antivirus company Avast outlined some advice to help organizations improve their cybersecurity culture. One recommendation is to ensure adequate focus on individual responsibility and spread awareness about the vital role everyone plays in cybersecurity. To create a culture of security, companies must address the need to:

  • Educate employees on how the cybersecurity dots are connected to the organization’s ability to achieve its business objectives and avoid fines, loss of business, loss of brand reputation and possibly layoffs.
  • Form security awareness allies, including supporters from across the organization, not just the security team.
  • Empower employees to own their efforts in protecting data within the organization.

Listen to the podcast: Take Back Control of Your Cybersecurity Now

Awareness and Accountability

Together, these efforts form a strong bond, connecting employees with the impacts of their actions, promoting accountability and supporting efforts to gain awareness allies throughout the organization.

“Our employees should completely understand that they play a critical role in the protection of our systems, data and, ultimately, the company,” Steve Martino, vice president and chief information security officer (CISO) at Cisco, wrote on the company’s blog.

He also compared a successful cybersecurity culture to guardrails along a road. The guardrails don’t block traffic — i.e., prevent employees from generating value for the business — but they do help steer drivers away from security “cliffs.”

Martino’s advice to improve cybersecurity culture among employees consisted of three clear steps:

  1. Educate them.
  2. Test them.
  3. Make them accountable.

Let’s go through each of these points in turn. Many organizations today would argue that they have been educating their workforce, in some cases for decades. When it comes to testing the workforce, though, many top leaders still refuse to sign off on conducting phishing tests or performing red team engagements. Is it because they don’t want to ruffle the feathers of their workforce, or is it because they would rather not know how poorly their employees might score?

As for holding them accountable, a leader doesn’t need a Ph.D. in business administration to know that without accountability, it is nearly impossible to get employees to abide by company policies. However, IT leaders must be careful not to publicly shame employees who fall for well-crafted social engineering scams. Instead, they should alert offending employees’ direct supervisors and provide guidance on how to quickly and tactfully address the problem.

Culture Changes Takes Time

Lest we might think the concept of security culture is a new phenomenon, here is a quote from 2003 delivered by former Federal Trade Commission (FTC) Commissioner Orson Swindle in prepared remarks for the Committee on Energy and Commerce of the U.S. House of Representatives: “The critical lesson in this information-based economy is that we are all in this together: government, private industry and consumers, and we must all take appropriate steps to create a culture of security.”

While these words ring as true today as they did back in 2003, our world has changed. The Deloitte University Press noted that the “new world of work changes the way we engage people” and that “employees’ motivations have changed” compared to previous generations. Our approach to developing a culture of cybersecurity must match the times we live in.

Security doesn’t stop at layer 7 — it never did. It’s time to shore up layer 8, because deep down we know that cybersecurity is immeasurably critical to the well-being of any organization. We can’t afford to wait another decade to bring about a culture shift.

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is an associate professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.