Creating A Culture Of Cyber Security Throughout An Organisation

It lies within the essence of any good cyber security officer (CISO) to naturally want to engineer, foster and encourage a culture of pervasive cyber security awareness that spans across the organisation and is usually formulated on values that are already integral to the organisation – aligning closely to employee trust, responsibility, and empowerment ethics.

These CISOs are the risk management professionals who live and breathe with the knowledge that any lapse by any employee can leave the entire organisation exposed and vulnerable, closely understanding the importance and safety that adherence to a detailed cyber security plan brings. 

Yet for roles outside of IT security and IT infrastructure, embarking on this full cultural change path isn’t always easy. Some CISOs struggle to gain an immediate internal acceptance of cyber initiatives as invariably extra security processes increase workloads, or in more extreme scenarios, can initially decrease productivity levels as users grapple with additional layers and verifications.

Instead, CISOs should embark on a graduated path of cyber security sensitivities. There are three routes in this journey that CISOs need to become adept at developing. 

Creating True Culture Change

First, if they are to successfully build defences, CISOs need to fully understand roles and processes in the existing regime to understand why and when job functions rely on systems internally and externally that could pose and increase vulnerabilities.  

Secondly, as with all successful change, CISOs should spend the first months of cyber change initiatives on the ground, familiarising themselves with workflows and identifying suitable departmental ‘champions’ who can act as envoys or ambassadors. They will become practical flag bearers for ongoing change who will be on-point for communications for threat handling and remediation. These departmental cyber champions will also field questions and interactions about cyber concerns, as you would with a local First Aider/Health and Safety Officer. Creating any true culture change needs to facilitate two-way communications from day one and needs to embrace everyone, so selecting the right team is essential.

Recognised accredited cyber training relevant to the expected outcomes of a cyber ambassador is critical here as responsibilities move outside of IT. Not only does individualised cyber training bring empowerment and extra capabilities internally, but it leads to personal recognition that reflects positively on future career opportunities.     

Once a thorough understanding and development of network of cyber ambassadors is in place, CISOs need to quickly move to developing extra employee security practices and providing direction on ongoing cadences. But these new or enhanced security prevention measures invariably add to the time that it takes for employees to finish jobs. Collective attitudes towards prioritising cyber – and by extension, creating a cyber culture – can only be changed by first educating employees on the importance and rationale in changing behaviours or methods of completing a task.

This education process can take many forms, starting with various impacts via a series of simple simulated attacks that provide anonymised responses back to risk professionals to highlight gaps in knowledge and provide early indicators on how easily breaches may occur and how new cyber processes can be effectively adopted. 

Additionally, real world documented examples are often used to show how breaches have been catastrophic in similar sized organisations. Ongoing interactive education is key to building a continued culture of security. Education and learnings on the impact of the breach ramifications - from the board level to new recruits – is essential, at all times building cyber security as an enabler rather than another workflow process to achieve. Successful companies who avoid security breaches on an ongoing basis additionally bring the importance of cyber security into annual employee reviews, keeping it top of mind and primary to employees’ performance (and renumeration). HR therefore also play a key part determining a blame-free, but responsible, empowering security culture. 

The Right Tools & Resources

Setting a culture by its very nature, means that all are driving for the same goal. That means gentle, but constant re-enforcement. Often headlines as simple as the 2020 report that showed 79% of US organisations had succumbed to phishing attacks* can lead CISOs to test their own resiliency with fake phishing attacks to see who inadvertently opens untrusted links. And here’s where the third part of cyber empowerment needs careful handling to avoid falling into negative scare tactics when results highlight gaps. CISOs for their part, need to at all times, empower employees with the right enterprise monitoring tools and resources to intelligently identify, question and report suspected attacks. 

They also need to deploy easy to use, reliable preventative tools such as password managers and dependable email security software, while not neglecting their own role in the ongoing monitoring of asset discovery to see which assets and software are lurking in the infrastructure (or may have recently added to the infrastructure) Endpoint security, especially in hybrid environments, is more important than ever to be fully enabled to make employees cyber safe and aware. 

Once a culture exists internally, next, CISO attention must turn toward suppliers and partners who themselves can create entry points for breaches. This can be achieved by clearly setting the organisations cyber security expectations and asking suppliers to prove compliance and adherence towards these documented standards but within a realistic, agreed timeframe. 

Research highlights that successful behavioural change is always a two-way exchange. To achieve an ongoing culture of acceptance, any deployments made by cyber security officers must exist alongside employee productivity so that being security conscious is viewed as a positive and worthwhile experience for the entire organisation. 

Michael Cantor is CIO of Park Place Technologies

You Might Also Read: 

Directors Must Understand Their Organisation’s Cyber Risks (£)

 

 

« Elon Musk Isn't Buying Twitter
New Scanning Tool Protects Websites From Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

British Insurance Brokers’ Association (BIBA)

British Insurance Brokers’ Association (BIBA)

BIBA is the UK’s leading general insurance intermediary organisation. Use the ‘Find Insurance‘ section of the BIBA website to find providers of cyber risk insurance in the UK.

National Cyber-Forensics & Training Alliance (NCFTA)

National Cyber-Forensics & Training Alliance (NCFTA)

NCFTA is a trusted alliance of private industry and law enforcement partners dedicated to information sharing and disrupting cyber-related threats.

Resolver

Resolver

Resolver’s Integrated Risk Management platform helps plan and prepare your organization to limit the likeliness or impact of security risk and compliance events from occurring.

Tesorion

Tesorion

Tesorion is a fusion of different enterprises each with its own specialisation in the field of cybersecurity. We have combined these specialisations to create an integrated comprehensive solution.

CyberDegrees.org

CyberDegrees.org

CyberDegrees.org aims to provide top-notch information for students seeking Cyber Security education and career guidance.

AnChain.AI

AnChain.AI

AnChain.AI's analytics platform proactively protects crypto assets by providing proprietary artificial intelligence, knowledge graphs, and threat intelligence on blockchain transactions.

Avertium

Avertium

Avertium is the managed security and consulting provider that companies turn to when they want more than check-the-box cybersecurity.

LogicHub

LogicHub

LogicHub is built on the principle that every decision process for threat detection and response can and should be automated.

NWN Corp

NWN Corp

NWN Corporation is a leading Cloud Communications Service Provider (CCSP) focused on transforming the customer and workspace experience for commercial, enterprise and public sector organizations.

CyberUSA

CyberUSA

CyberUSA is a collaboration of leaders and states focused on a common mission purpose of enabling innovation, education, workforce development, enhanced cyber readiness and resilience.

SOOS

SOOS

SOOS is the easy-to-integrate software security solution for your whole team. Build, catch, and fix vulnerabilities with SOOS Software Composition Analysis.

HiddenLayer

HiddenLayer

HiddenLayer is a provider of security solutions for machine learning algorithms, models and the data that power them.

Cygna Labs

Cygna Labs

Cygna Labs is a software developer and one of the top three global DDI (DNS, DHCP, and IP address management) vendors.

Cisilion

Cisilion

Cisilion's mission is simple – to transform and connect business with next-generation IT infrastructure. Our expertise includes enterprise networking, security, data centre & cloud, managed services.

OccamSec

OccamSec

OccamSec is a leading provider in the world of cybersecurity. We provide accurate, actionable information to reduce risk and enable better informed decisions.

Internet Watch Foundation (IWF)

Internet Watch Foundation (IWF)

Since the early days of the internet, our job has been to help child victims of sexual abuse by hunting down and removing any online record of the abuse.