Creating A Culture Of Cyber Security Throughout An Organisation

It lies within the essence of any good cyber security officer (CISO) to naturally want to engineer, foster and encourage a culture of pervasive cyber security awareness that spans across the organisation and is usually formulated on values that are already integral to the organisation – aligning closely to employee trust, responsibility, and empowerment ethics.

These CISOs are the risk management professionals who live and breathe with the knowledge that any lapse by any employee can leave the entire organisation exposed and vulnerable, closely understanding the importance and safety that adherence to a detailed cyber security plan brings. 

Yet for roles outside of IT security and IT infrastructure, embarking on this full cultural change path isn’t always easy. Some CISOs struggle to gain an immediate internal acceptance of cyber initiatives as invariably extra security processes increase workloads, or in more extreme scenarios, can initially decrease productivity levels as users grapple with additional layers and verifications.

Instead, CISOs should embark on a graduated path of cyber security sensitivities. There are three routes in this journey that CISOs need to become adept at developing. 

Creating True Culture Change

First, if they are to successfully build defences, CISOs need to fully understand roles and processes in the existing regime to understand why and when job functions rely on systems internally and externally that could pose and increase vulnerabilities.  

Secondly, as with all successful change, CISOs should spend the first months of cyber change initiatives on the ground, familiarising themselves with workflows and identifying suitable departmental ‘champions’ who can act as envoys or ambassadors. They will become practical flag bearers for ongoing change who will be on-point for communications for threat handling and remediation. These departmental cyber champions will also field questions and interactions about cyber concerns, as you would with a local First Aider/Health and Safety Officer. Creating any true culture change needs to facilitate two-way communications from day one and needs to embrace everyone, so selecting the right team is essential.

Recognised accredited cyber training relevant to the expected outcomes of a cyber ambassador is critical here as responsibilities move outside of IT. Not only does individualised cyber training bring empowerment and extra capabilities internally, but it leads to personal recognition that reflects positively on future career opportunities.     

Once a thorough understanding and development of network of cyber ambassadors is in place, CISOs need to quickly move to developing extra employee security practices and providing direction on ongoing cadences. But these new or enhanced security prevention measures invariably add to the time that it takes for employees to finish jobs. Collective attitudes towards prioritising cyber – and by extension, creating a cyber culture – can only be changed by first educating employees on the importance and rationale in changing behaviours or methods of completing a task.

This education process can take many forms, starting with various impacts via a series of simple simulated attacks that provide anonymised responses back to risk professionals to highlight gaps in knowledge and provide early indicators on how easily breaches may occur and how new cyber processes can be effectively adopted. 

Additionally, real world documented examples are often used to show how breaches have been catastrophic in similar sized organisations. Ongoing interactive education is key to building a continued culture of security. Education and learnings on the impact of the breach ramifications - from the board level to new recruits – is essential, at all times building cyber security as an enabler rather than another workflow process to achieve. Successful companies who avoid security breaches on an ongoing basis additionally bring the importance of cyber security into annual employee reviews, keeping it top of mind and primary to employees’ performance (and renumeration). HR therefore also play a key part determining a blame-free, but responsible, empowering security culture. 

The Right Tools & Resources

Setting a culture by its very nature, means that all are driving for the same goal. That means gentle, but constant re-enforcement. Often headlines as simple as the 2020 report that showed 79% of US organisations had succumbed to phishing attacks* can lead CISOs to test their own resiliency with fake phishing attacks to see who inadvertently opens untrusted links. And here’s where the third part of cyber empowerment needs careful handling to avoid falling into negative scare tactics when results highlight gaps. CISOs for their part, need to at all times, empower employees with the right enterprise monitoring tools and resources to intelligently identify, question and report suspected attacks. 

They also need to deploy easy to use, reliable preventative tools such as password managers and dependable email security software, while not neglecting their own role in the ongoing monitoring of asset discovery to see which assets and software are lurking in the infrastructure (or may have recently added to the infrastructure) Endpoint security, especially in hybrid environments, is more important than ever to be fully enabled to make employees cyber safe and aware. 

Once a culture exists internally, next, CISO attention must turn toward suppliers and partners who themselves can create entry points for breaches. This can be achieved by clearly setting the organisations cyber security expectations and asking suppliers to prove compliance and adherence towards these documented standards but within a realistic, agreed timeframe. 

Research highlights that successful behavioural change is always a two-way exchange. To achieve an ongoing culture of acceptance, any deployments made by cyber security officers must exist alongside employee productivity so that being security conscious is viewed as a positive and worthwhile experience for the entire organisation. 

Michael Cantor is CIO of Park Place Technologies

You Might Also Read: 

Directors Must Understand Their Organisation’s Cyber Risks (£)

 

 

« Elon Musk Isn't Buying Twitter
New Scanning Tool Protects Websites From Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

GFI Software

GFI Software

GFI Software works with System Administrators, IT Professionals and IT Executives to ensure that their IT infrastructures are monitored, managed, secured and compliant.

National Cyber Security Centre Finland (NCSC-FI)

National Cyber Security Centre Finland (NCSC-FI)

The NCSC-FI develops and monitors the operational reliability and security of communications networks and services in Finland.

CERT Syria

CERT Syria

CERT Syria is the national Computer Emergency Response Team for Syria.

VisionWare

VisionWare

VisionWare provide consulting services and solutions in areas covering both physical and digital security.

CyberGreen Institute

CyberGreen Institute

The CyberGreen Institute is a global non-profit and collaborative organization conducting activities focused on helping to improve the health of the global Cyber Ecosystem.

HoxHunt

HoxHunt

HoxHunt is an automated cyber training program that transforms the way your employees react and respond to the growing amount of phishing emails.

Vehere

Vehere

Vehere specialises in mission critical signals aquisition and analytics platform and cyber defence systems.

Seavus Accelerator

Seavus Accelerator

Seavus Accelerator's goal is to create an enabling and stimulating environment for start-ups growth and provide continuous high quality acceleration and investment support.

Aristi Technologies

Aristi Technologies

Aristi provides cybersecurity risk and compliance services to help manage your unique cyber risks, safeguarding your systems and data and complying with government and industry standards.

Regulativ.ai

Regulativ.ai

Regulativ.ai is an innovative and comprehensive platform, driven by AI, to address the regulatory and compliance needs of Cyber Security Regulatory compliance and reporting.

National Security Services Group (NSSG)

National Security Services Group (NSSG)

National Security Services Group (NSSG) is Oman's leading and only proprietary Cybersecurity consultancy firm and Managed Security Services Provider.

Intigriti

Intigriti

Intigriti helps companies protect themselves from cybercrime. Our community of ethical hackers provides continuous, realistic security testing to protect our customer’s assets and brand.

Acora

Acora

Acora provide a range of best-in-class managed services, Microsoft-centric business software, and cloud solutions designed to help mid-market organisations succeed in the digital economy.

Cloudflare

Cloudflare

Cloudflare is a global network designed to make everything you connect to the Internet secure, private, fast, and reliable.

Rezonate

Rezonate

Rezonate discovers, profiles, and protects Identities and their entire access journey to cloud infrastructure and critical SaaS applications. Preventing and stopping cyberattacks.

Cynclair

Cynclair

Cybersecurity is a complex beast. And we're the beast-tamers. Our team thrives on deciphering the latest threats, building cutting-edge defenses, and making your digital world much safer.