8 Tips for Creating a Cybersecurity Culture
IT and business leaders can play a part in helping their organizations build a stronger cybersecurity culture. Here’s how.
![vibrant speech bubble that says Stunning Cybersecurity vibrant speech bubble that says Stunning Cybersecurity](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/blt8cc1498d8fe9c901/64bf4213de20a4b97073336b/00stunningcybersecurity-NoraVector-alamy.jpg?width=700&auto=webp&quality=80&disable=upscale)
NoraVector via Alamy Stock
Cybersecurity is everyone’s job in any organization. But the importance of this simple fact escapes many workers who are focused on getting their work done. Meeting deadlines or getting off work on time are common temptations to circumvent security protocols. And even the most diligent and dedicated workers are often too distracted to see the marks of fraud in their email.
These issues are not going away, so how can IT and business leaders help their companies build a rock-solid culture that makes cybersecurity actions second nature to all? Here are the eight ways to make that happen.
Don’t just issue orders. Explain to people why it’s important to do the things you’re asking them to do. This will not only help them remember to do those things but will build their knowledge base so they can make better judgment calls in more threat scenarios later on.
“Always start with the 'why?' Explain why cybersecurity controls are in place with real stories that highlight the impact on organizations and the critical need for a company-wide posture,” says Rob Simopoulos, co-founder of Defendify.
“Provide secure ways to support people doing their job -- secure file exchange, secure browsing, securely opening attachments, etc.,” says Tim Rawlins, Director and Senior Advisor at NCC Group, a security consultancy. “By doing these things, individuals will have more headspace to do the right thing within the security culture of the organization.”
Most workers have several To Do Lists already, and combined they create memory overload. If you want people to have enough mental broadband available to catch those tricky phishing emails, free up their headspace by reducing the number of things vying for their attention.
There’s no such thing as “healthy friction,” and it’s unlikely that there ever was. In any case, friction in any form is eroding your efforts to build a cybersecurity culture now.
“For many organizations, the long-entrenched dichotomy between the two groups once fostered a constructive push-and-pull relationship between the pseudo-rivals,” says Kavitha Mariappan, executive vice president of Customer Experience & Transformation at Zscaler. “But that could lead to further entrenched legacy infrastructure and hardware that today is vulnerable to cyberattack. Worse, it often aggravated a change-averse corporate culture, creating stubborn barriers to transformation that imperil many organizations today.”
Negative reinforcement can be self-defeating as employees are more likely to avoid or cover up security issues to avoid punishment. Be aware that people may see your cybersecurity training processes as punitive too. Turn this around by using positive reinforcements to encourage people to do the right things, including reporting issues and incidents.
“Explain cybersecurity in terms and concepts that people relate to,” says Ragnar Sigurðsson, co-Founder and Head of R&D at AwareGO. “Make them aware of how a breach could affect them personally but without a ‘thou shalt not’ message or a feeling of blame and shame.”
Classroom cybersecurity training is a good first step, but that alone will not change human behavior. Be sure to implement behavior science techniques too. Tailor programs to users for best effect.
“The need for cybersecurity is often not explained in terms that relate to [users’] daily lives and they believe that cybersecurity is something technical that is beyond their scope of work,” says Sigurðsson.
“Instead of taking a ‘one size fits all’ approach through only awareness and training,” says Neha Joshi, Security Growth & Strategy Lead at Accenture, “cybersecurity culture programs can target changing behaviors for the people who’ve exhibited challenges making secure choices.
"Building a cybersecurity culture must start at both the top and the bottom, with role modeling from senior people as well as efforts to build belief and ease to implement the change on the ground.”
Make cybersecurity efforts as much a competitive sport as a unified duty. Gamification is a proven technique to keep people engaged and aware. Use it to help build and reinforce your cybersecurity culture too.
“Security leaders can track and validate the completion of tasks as well as tally user points and other accolades,” says Gaurav Banga, founder and CEO of Balbix. “Scores can be published on a leaderboard to inspire further competition. Companies can even consider monthly, quarterly, or even annual recognition of top performers with a prize.
“What employee would not want to participate in improving their company’s cybersecurity posture,” he says, “if there was a chance of winning an all-expenses paid trip to Hawaii?”
Management must set the example too. Visible buy-in at the executive level is crucial.
“There is a reason why the involvement of management is a large part of certifications like ISO 27001,” says Mitch Kavalsky, senior director of security governance at Sungard Availability Services. “When employees see leadership setting the example, it is much easier to get everyone on board.”
Colonel (Ret.) George Lamont, CISO at IronNet, says that a dedicated, company-wide security force is built upon leadership engagement, employee engagement, and peer engagement.
“For this ‘engagement trio’ to be effective,” he says, “employees need to see commitment start from the top down, requiring collective buy-in at the executive leadership level. From there, engagement at the employee level requires the C-suite to provide consistent communication and transparency to each individual member of the workforce. Lastly, peer network engagement ensures there is never a false sense of security and employees at every level do not become complacent with security practices.”
Training is never enough to protect your company. People have to care.
“The constant barrage of news about cybersecurity breaches and failures of companies to protect data is becoming noise,” says Steve Sanders, chief information security officer for CSI. “The message is so common now that people either feel it doesn’t matter or there’s nothing they can do to stop it anyway. Our internal awareness programs need to be succinct, meaningful, and actionable, and employees need to know they are making a difference.”
“There should be regular communication around various cybersecurity topics, but not so much that the importance gets lost. Every month or two it is good to remind everyone of how cybersecurity can help protect the interests of the company and their customers,” Kavalsky adds.
Check out other InformationWeek slideshows.
Training is never enough to protect your company. People have to care.
“The constant barrage of news about cybersecurity breaches and failures of companies to protect data is becoming noise,” says Steve Sanders, chief information security officer for CSI. “The message is so common now that people either feel it doesn’t matter or there’s nothing they can do to stop it anyway. Our internal awareness programs need to be succinct, meaningful, and actionable, and employees need to know they are making a difference.”
“There should be regular communication around various cybersecurity topics, but not so much that the importance gets lost. Every month or two it is good to remind everyone of how cybersecurity can help protect the interests of the company and their customers,” Kavalsky adds.
Check out other InformationWeek slideshows.
.
About the Author(s)
You May Also Like