The 7 Elements of an Organization’s Cybersecurity Culture
Sometimes, an effective 'human firewall' is all you need to prevent or mitigate the cyberthreats enterprises face today. Deploy these seven elements of cybersecurity culture to help safeguard your organization against digital risks.
The 7 Elements of an Organization’s Cybersecurity Culture
Most decision makers always think of cybersecurity in terms of risk and technology, but entirely overlooking the human aspect. However, statistics show human error is the top cybersecurity risk for many enterprises. Relegating cybersecurity measures entirely to IT department misses a decisive element needed to safeguard modern businesses from the storm of digital threats that is growing every day: culture.
According to Experian’s Managing Insider Risk Through Training and Culture Report, 66% of the data protection and privacy training professionals that were surveyed revealed their employees were the “weakest link” in their attempt to safeguard their organization from cyber threats. A cybersecurity culture plays an instrumental role in mitigating cyberthreats, both in terms of proactive measures and reactive, strategic protocols.
What is Security Culture?
Culture is foremost about mindset. A security culture sums up an organization’s strength, accountability, and resilience in the face of cyberthreats from a human standpoint. It is about building the foundations of a "human firewall" against digital attacks.
Elements of a Security Culture
A cybersecurity culture is one that encapsulated the entire organization -- across processes, teams, metrics and tools. Integrating the following attributes and best practices throughout an organization is one of the biggest challenges facing decision makers and security leaders today but doing so has never been more vital.
Leadership support is paramount to a strong security culture. A cascading approach beginning with senior management through behavioral and financial investments. Further expanding to terms and policies put forth by CISOs and defined by department levels heads are foundational to the implementation of security culture.
2. Cross-Functional Liaisons
The diversity of threats and vulnerabilities across organizations demand a multidisciplinary taskforce dedicated to the following:
Identifying risks and opportunities.
Bridging the gap in security priorities across different departments, such as IT/operational technology or sales and support.
Analyzing areas of redundancy in tools and vendor products; and
Developing specific safeguards to be deployed across business functions, teams and products.
The taskforce of cross-functional liaisons is also instrumental in identifying cultural barriers to a secure mindset and best practices. In one instance, a major American airline company, United Airlines, developed an awareness and education team dedicated to embedding security into the DNA of the company across all its operations. "Cyber ambassadors" and "friends of security" were elected across the various teams to watch for security issues in their respective departments. Equipped with the knowledge of perspectives of both subject matter experts and general associates was critical to ensure that whole organization remained fortified.
Building awareness among employees is half the battle won against cyberthreats - especially because social engineering and human error account for most penetrations.
Security leader and IT facilitators should be responsible of designing an education curriculum that stretches beyond PowerPoint presentations and, password tips and annual evaluations. Develop a contextual training for staff that is transparent about potential risks, implications and the cascading effects of bad security habits. Illustration of threat actors across proprietary assets, third-party vendors and remote working tools will go a long way in ensuring understanding and facilitate inclusion. Ongoing and easy to grasp trainings should include:
real-life examples, updated for the times;
how-tos -- for example, how to spot suspicious behaviour, report an issue and contain threats;
feedback mechanisms to improve the culture around security, processes and tools;
opportunities for skills development, such as becoming a "cyber ambassador."
4. Employee Relevance
The need for awareness may be universal, however training and education processes is not “one size fits all”. It is vital for employees to understand their specific responsibilities and how their roles and actions can help or hinder the security structure of an organization. This involves the development of cybersecurity procedures that seamlessly integrate into employees' daily procedures and work routines, rather than demanding cumbersome or radical changes. Learning tools and training styles that personalize content can be a good start. Including scenarios that are familiar and resonate with their work stream can further drive understanding and engagement.
5. Attitudes and Actions
Organization culture is essentially a feeling, which includes beliefs, assumptions and general engagement of with the company and its perceived values. Part of this involves making employees feel comfortable -- not stupid -- if they make a mistake and confident -- not panicked -- when an incident occurs. In simple terms, employees should feel good contributing to the company's cybersecurity resilience. A distributor of heavy machinery, Finning International, employed psychologists to gain an understanding of how people can learn about security in relatable ways. The company devised several training modules to support different learning styles. Gamification, short videos and face-to-face discussions were some featured modules. The modules were tailored to facilitate inclusion among employees across different geographies and languages.
Cybersecurity culture also involves the company’s environment outside it’s four walls. Through information sharing among peers, stakeholders, customers and suppliers offers a diverse perspective to cyberthreats vectors that may have gone under the radar. Not only is this valuable to the company’s own security culture, but it is also a direct line to product innovation in the name of security.
7. Metrics Metrics are important to monitor the effectiveness and overall value of training. Incorporating gamification, competitions or quick tests into security training processes can play a pivotal role in providing helpful insights into which modules resonated and what concrete knowledge and behaviours stuck. They are also important for articulating the value proposition of these procedures to senior management to facilitate continued investment.
A Strong Foundation is Key to a Strong Security Posture
According to recent insights from Forbes Survey of 200 CISOs, it was found that, organizations with siloed approach to cybersecurity are found to have more negative effects than those with an enterprise-wide approach. A singular focus on downstream tactics are significant and growing:
costs of breach (revenue loss, downtime, reputation);
massive influx of incidents in recent years;
sophisticated tactics, powered by emerging technologies;
major lack of security talent;
leaders as targets; and frontline employees as targets.
A security culture in the workplace is your first line of defense to an ever-expanding array of attacks.
"Technology is safe, only humans are vulnerable" – Srinivas Padmanabhan
"One Single Vulnerability is all an attacker needs" – Window Snyder