Unpopular opinion: Cybersecurity culture doesn’t start with people
Creating a company-wide cybersecurity culture is a difficult and essential part of protecting an organization’s assets, particularly its data and services.
A strong cybersecurity culture helps organizations meet security and compliance requirements. It supports people to understand and appreciate risk, so they proactively and willingly make decisions with security in mind.
Organizations’ employees undoubtedly play a vital role in cybersecurity culture. But often, too much responsibility is placed on people.
This approach misses the point, by far and large, of who is responsible for developing a cybersecurity culture as security culture doesn’t start with people. It starts with you, the security team.
Side note: You can learn more about people-centric culture here.
What is cybersecurity culture?
Research has demonstrated varying definitions, often oriented around people’s attitudes and behaviors regarding the promotion of security.
A meaningful cybersecurity culture doesn’t develop organically. While negative behaviors often happen naturally, positive behaviors require planning, action, and ongoing care.
A company needs to invest in its culture and set the example from the top down. It requires adequate technology, management support, supportive policies, and training and awareness programs. To sustain a healthy cybersecurity culture, there must be an ongoing focus.
Building a healthy cybersecurity culture
While security awareness and education are part of a healthy security culture, alone they seldom lead to intended results.
It’s unrealistic and shows a lack of understanding about the human condition to think people care deeply about security when job incentive structures are built around their jobs and not the jobs of the security team!
Most people are driven by job-related targets, tasks, bonuses, and promotions while focusing on security often adds additional friction.
Start with technology
Good cybersecurity culture develops in a working environment where people don’t have to worry constantly about security.
Good cybersecurity culture is fostered in an environment in which every decision that can be made by technology, is made by technology.
Save people having to expend mental energy on security wherever possible. Use SSO and biometric login processes, automate backups, and give people the devices and software they need to do their jobs, reducing the need for shadow tech.
Utilize technology in such a way that it’s not the end of the world if someone clicks on a stray phishing email, or plugs in a malicious device.
By implementing regular security awareness training for employees you can greatly enhance the overall security posture of your organization, as it helps educate your people on potential security risks, how to properly handle sensitive information, and protecting against cyber threats.
Keep tech up-to-date with a regular patching and testing routine. Conduct regular security audits to ensure your systems are secure and current. Cyber threats are constantly evolving but your tech should not remain stagnant.
Next, develop policies and procedures
Though P&P may have a bad reputation, in a healthy cybersecurity culture, P&P takes a front row seat when it’s relatable, contextual, and digestible.
Communicate policies to employees in a way that meets people where they are. For example, if people communicate using Microsoft Teams, send them relatable security content using MS Teams!
Implement processes that encourage people to report incidents or suspected incidents. People shouldn’t feel like they’ll be punished for making mistakes, they should feel like they’ll be acknowledged and thanked for speaking up!
As much as is feasible, align security policies and procedures with what incentivizes people to do their jobs. Make sure any new security policy is communicated to all employees and that they are aware of its purpose and the value in following it.
Then, and only then, consider people
Senior leadership should be committed to creating a culture of cybersecurity and they should lead by example. If senior leaders don’t lead by example, people will think it’s okay to disregard and ignore.
Making sure people know that you are open and welcoming means people are more likely to do so otherwise, they won’t.
Position the security team as the problem solving team. If people have problems that are being caused by security controls, systems, or processes, you need to know about them! If security hinders people from doing their jobs, they’ll find ways around the security.
Lastly, but importantly, support your people. Arm them with the knowledge they need to enact good security behaviors, and provide them with contextual and relevant information and training so they know how to interact with their cyber-environment responsibly, and potential security threats when sensible cyber-guidance is not followed.
Educate people for the right behaviors. People should strive to carry out good security behaviors because they see the value it brings for the organization and themselves. A good way to encourage this is by drawing parallels to people’s personal lives. Show people how good security practices can help keep families and loved ones safe.
Don’t assume people will recall or research cybersecurity training material from months ago, give them the information they need, as they need it, using timely nudges, alerts, and reminders.
Who is responsible for developing a cybersecurity culture?
Although cybersecurity may be everyone’s responsibility, security professionals bear an outsized role in its caretaking and promotion.
Cybersecurity culture is your garden! People do have a responsibility to keep the garden tidy, not litter, not graffiti, and treat it with respect. Your role is to curate the space so that other people can enjoy it effortlessly.
Work on building an environment that allows good cybersecurity culture to thrive and keep your organization safe from cyber threats. This ongoing process requires constant nurturing, attention, and commitment from all levels of the organization. People want to do the right thing—make it easy for them!