1. Increase face-to-face interaction
Unsurprisingly, the vast majority of messages from IT security departments are written and sent digitally. Emails and blog posts are incredibly efficient. For shaping culture though, on their own they’re not as effective as people often think.
Albert Mehrabian, the world’s leading authority on nonverbal communication, notes that just 7% of messages conveying attitudes are derived from words alone. The rest seems to be delivered via body language and tone. Both are entirely absent from most digital transmissions.
To begin to shift culture, cyber security professionals should aim to increase their physical presence in workplaces – even if only on an intermittent basis.
2. Focus on behaviours as well as attitudes
For a long time now, we’ve believed attitudes drive behaviour. But do they?
While the answer is yes, the relationship isn’t entirely one way. An increasing body of research (such as Gary Wells’ study on head movement, or Daryl Bem’s on self-perception) suggests that how we behave directly influences our opinions and beliefs.
Changing our attitudes towards cyber security, then, might be as straightforward as changing behaviour via a simple series of simulated attacks. Changing attitudes is, of course, a prerequisite to changing company culture.
3. Encourage questions
Questions highlight knowledge gaps.
Every time a question is answered, more information is shared. But few companies go as far as encouraging feedback or questions on cyber security.
The automated feedback forms that training platforms facilitate are usually an easy way to get the ball rolling.
4. Demonstrate value
Cyber security stories are often doom and gloom. Mistakes are berated and consequences dissected. Such stories hardly encourage people to discuss cyber security openly.
What might, though, is sharing wins – such as how individual people have prevented criminal attacks, or how much money has been saved as a result.
If that sounds nigh-on impossible, bear in mind platforms like CybSafe help you keep track of useful metrics you can use. Enlist a platform that tracks ROI and you’re halfway there.
5. Take steps to integrate security with people’s needs
It’s a sad fact that cyber security sometimes conflicts with a given individual’s immediate objective. Even sadder is the fact that, whenever someone chooses to ignore best practice, they see cyber security as increasingly irrelevant as a result. Why is this the case?
As discussed in point two, what we do influences how we think. With that in mind, ignoring best practice today makes it more likely we’ll ignore best practice again in the future. It’s for precisely this reason security professionals should take steps to integrate cyber security with individual team’s needs.
Doing so can be the difference between a vicious and a virtuous circle – one that eventually embeds cyber security into everyday culture.
6. Train everyone
Most likely for reasons of survival, people have an in-built desire to belong to a group of some shape or form.
Training your entire organisation – from the CEO to junior recruits – can foster a group that takes cyber security seriously.
The fact that training everyone also positions cyber security as a topic of importance usually makes it a prerequisite to a cyber security-focused culture.
7. Extend training to partners and suppliers
The people cyber criminals use when attacking an organisation aren’t always employed by the target organisation. They can just as easily be third parties, such as partners or suppliers. Failing to offer training to third parties, then, can lead to gaps in cyber defences.
Plugging the gaps – even when they lie outside your company – demonstrates just how serious cyber security is. Training suppliers and partners encourages a cyber-safe culture from the top down, and it’s usually easily done with today’s advancing cyber security platforms.
8. Make things personal
As nice as it might be, people rarely switch from leisure-mode to work-mode when arriving at the office. To truly ensure people take cyber security seriously, it’s undoubtedly worth helping people stay safe in their personal lives. Aside from being the right thing to do, the benefits will always spill over into the workplace.
As an added bonus, people usually have a greater incentive to follow best practice at home, where a cyber attack can lead to personal turmoil. Training people on how to stay safe outside of the office increases the chances of messages sinking in.
9. Keep things simple
“If TalkTalk had cryptographically segmented its security system into predefined and clearly understood fragments, the breach would have been more manageable, instead of system-wide.”
That’s a comment from Certes Networks’ Paul German following TalkTalk’s prolific 2015 breach. It makes sense. But it’s hardly accessible to those outside the industry.
As common sense dictates, cyber security must be easy to understand to ensure it’s enacted.
10. Conduct regular performance reviews
Performance reviews are a staple of most job roles today – yet rarely do such reviews take cyber security into account.
Although surely unintentional, performance reviews that fail to include cyber security do a good job of positioning cyber security as secondary to some other set of responsibilities.
Reporting analytics ensure individual performance can be monitored and fed back, giving cyber security a new-found priority.
In conclusion…
Cyber security continues to grow as an industry. But few companies have managed to weave cyber security into the very fabric of their organisation so far.
By implementing just one or two of the above points, cyber security practitioners can nudge people in the right direction.
A cyber secure culture is undoubtedly a prize worthy of pursuit.
CybSafe drives real and lasting change in the cyber security culture of your people and your organisation. 86% of organisations like yours, who view a CybSafe demo, go on to deploy the platform.
Sign up for your free demo today.
