Creating A Culture Of Cyber Security Throughout An Organisation

It lies within the essence of any good cyber security officer (CISO) to naturally want to engineer, foster and encourage a culture of pervasive cyber security awareness that spans across the organisation and is usually formulated on values that are already integral to the organisation – aligning closely to employee trust, responsibility, and empowerment ethics.

These CISOs are the risk management professionals who live and breathe with the knowledge that any lapse by any employee can leave the entire organisation exposed and vulnerable, closely understanding the importance and safety that adherence to a detailed cyber security plan brings. 

Yet for roles outside of IT security and IT infrastructure, embarking on this full cultural change path isn’t always easy. Some CISOs struggle to gain an immediate internal acceptance of cyber initiatives as invariably extra security processes increase workloads, or in more extreme scenarios, can initially decrease productivity levels as users grapple with additional layers and verifications.

Instead, CISOs should embark on a graduated path of cyber security sensitivities. There are three routes in this journey that CISOs need to become adept at developing. 

Creating True Culture Change

First, if they are to successfully build defences, CISOs need to fully understand roles and processes in the existing regime to understand why and when job functions rely on systems internally and externally that could pose and increase vulnerabilities.  

Secondly, as with all successful change, CISOs should spend the first months of cyber change initiatives on the ground, familiarising themselves with workflows and identifying suitable departmental ‘champions’ who can act as envoys or ambassadors. They will become practical flag bearers for ongoing change who will be on-point for communications for threat handling and remediation. These departmental cyber champions will also field questions and interactions about cyber concerns, as you would with a local First Aider/Health and Safety Officer. Creating any true culture change needs to facilitate two-way communications from day one and needs to embrace everyone, so selecting the right team is essential.

Recognised accredited cyber training relevant to the expected outcomes of a cyber ambassador is critical here as responsibilities move outside of IT. Not only does individualised cyber training bring empowerment and extra capabilities internally, but it leads to personal recognition that reflects positively on future career opportunities.     

Once a thorough understanding and development of network of cyber ambassadors is in place, CISOs need to quickly move to developing extra employee security practices and providing direction on ongoing cadences. But these new or enhanced security prevention measures invariably add to the time that it takes for employees to finish jobs. Collective attitudes towards prioritising cyber – and by extension, creating a cyber culture – can only be changed by first educating employees on the importance and rationale in changing behaviours or methods of completing a task.

This education process can take many forms, starting with various impacts via a series of simple simulated attacks that provide anonymised responses back to risk professionals to highlight gaps in knowledge and provide early indicators on how easily breaches may occur and how new cyber processes can be effectively adopted. 

Additionally, real world documented examples are often used to show how breaches have been catastrophic in similar sized organisations. Ongoing interactive education is key to building a continued culture of security. Education and learnings on the impact of the breach ramifications - from the board level to new recruits – is essential, at all times building cyber security as an enabler rather than another workflow process to achieve. Successful companies who avoid security breaches on an ongoing basis additionally bring the importance of cyber security into annual employee reviews, keeping it top of mind and primary to employees’ performance (and renumeration). HR therefore also play a key part determining a blame-free, but responsible, empowering security culture. 

The Right Tools & Resources

Setting a culture by its very nature, means that all are driving for the same goal. That means gentle, but constant re-enforcement. Often headlines as simple as the 2020 report that showed 79% of US organisations had succumbed to phishing attacks* can lead CISOs to test their own resiliency with fake phishing attacks to see who inadvertently opens untrusted links. And here’s where the third part of cyber empowerment needs careful handling to avoid falling into negative scare tactics when results highlight gaps. CISOs for their part, need to at all times, empower employees with the right enterprise monitoring tools and resources to intelligently identify, question and report suspected attacks. 

They also need to deploy easy to use, reliable preventative tools such as password managers and dependable email security software, while not neglecting their own role in the ongoing monitoring of asset discovery to see which assets and software are lurking in the infrastructure (or may have recently added to the infrastructure) Endpoint security, especially in hybrid environments, is more important than ever to be fully enabled to make employees cyber safe and aware. 

Once a culture exists internally, next, CISO attention must turn toward suppliers and partners who themselves can create entry points for breaches. This can be achieved by clearly setting the organisations cyber security expectations and asking suppliers to prove compliance and adherence towards these documented standards but within a realistic, agreed timeframe. 

Research highlights that successful behavioural change is always a two-way exchange. To achieve an ongoing culture of acceptance, any deployments made by cyber security officers must exist alongside employee productivity so that being security conscious is viewed as a positive and worthwhile experience for the entire organisation. 

Michael Cantor is CIO of Park Place Technologies

You Might Also Read: 

Directors Must Understand Their Organisation’s Cyber Risks (£)

 

 

« Elon Musk Isn't Buying Twitter
New Scanning Tool Protects Websites From Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Trustwave

Trustwave

Trustwave is a leader in managed detection and response (MDR), managed security services (MSS), consulting and professional services, database security, and email security.

Lares Consulting

Lares Consulting

Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing and coaching.

ReFoMa

ReFoMa

ReFoMa is a consultancy and advisory company with a focus on information Security.

Cyberens

Cyberens

Cyberens provide cybersecurity consulting services in IT sectors relating to defense and space, banking, industrial control systems and IoT.

CNA Insurance

CNA Insurance

CNA offers a market-leading suite of cyber liability insurance products and risk control resources for businesses of all sizes.

Zymbit

Zymbit

Zymbit provides hardware security modules (HSM) for IoT devices, including Raspberry Pi and other single board computers.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LinkShadow

LinkShadow

LinkShadow is a next-generation cybersecurity solution that provides unparalleled detection of even the most sophisticated threats.

Fortified Health Security

Fortified Health Security

Fortified’s team of cybersecurity specialists is dedicated to helping healthcare providers, payers and business associates protect their patient data across the Fortified Healthcare Ecosystem.

Cybertronium

Cybertronium

Cybertronium is a leader in managing cyber risk. We bring you the latest from the complex, ever-evolving online threat environment with the insights to inspire and the expertise to act.

Focus on Security

Focus on Security

Focus on Security are Cyber Security recruitment specialists. We’re dedicated to connecting you with the top Cyber Security talent across the globe. We focus on partnerships and results.

Quantum Ventura

Quantum Ventura

Quantum Ventura is a technology innovation company with a single mission of delivering customer-centric advanced solutions to US Federal & State Governments and Private Sector customers.

ThreatER

ThreatER

ThreateER (formerly ThreatBlockr / Bandura Cyber) is a cybersecurity platform that provides active network defense by automating the discovery, enforcement, and analysis of cyber threats at scale.

Aspiron Search

Aspiron Search

Aspiron Search is a niche-focused Cybersecurity search firm that works exclusively with venture-backed Cybersecurity firms.

DYOPATH

DYOPATH

At DYOPATH we work with the single purpose of helping our clients combat the ongoing increase of cyber threats, the growth in more complex IT environments, and ever-increasing human capital shortages.

RedLattice

RedLattice

RedLattice are at the cutting edge of tool development and AI-assisted vulnerability research in cybersecurity.