5 Ways to Create a Cybersecurity Culture in Your Organization
By: Thomas Coffey, VP of Security, Cerberus Security
Cybersecurity Impacts Every Aspect of Digital Life
Every aspect of our modern digital environments are sustained by a vast network which seamlessly works to keep businesses in operation and data circulating throughout the business environments.
These IT systems include banks, telecommunication, transportation, national defense, healthcare, supply chains and a myriad of networked services – all of which rely on the currency of data – day in and day out.
Throughout each point of engagement, Cybersecurity is an essential and invaluable asset to not only keeping information safe, but to also successfully maintain business critical operations throughout the world.
How Can you Create a Culture of Cybersecurity in your Organization?
Taking a technologically agnostic approach to Cybersecurity means treating security issues without allegiance to any vendor, technology, or solution. This unbiased approach prioritizes agility in understanding that as new threats emerge, innovative approaches must evolve simultaneously to mitigate potential harm from cybercriminals or nation state actors.
Meeting the challenge of staying actively engaged in issues pertaining to Cybersecurity means creating a Cybersecurity Culture or CSC. Within an organization, this refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values held regarding Cybersecurity and therefore, how these internalized values are manifested in behavior in an IT environment or technology stack.
CSC is fundamentally about making data security considerations an integral part of the ideological framework of day-to-day operations, as in this is how we operate. It is a misconception that technology alone will reduce or eliminate the likelihood of a threat. Recent study by Boston Consulting Group showed that most data breaches – a whopping 77% – were the result of an organizational failure, a process failure, or human error and not, due to an inadequate investment in Cybersecurity.
A Cybersecurity Culture closes that gap, providing a framework for an employee that is intuitive, habitual, and the position from which daily internal and external engagements take place.
Adopting the right approach to information security enables a resilient CSC to develop naturally. This CSC informs the behaviors and attitudes of employees towards information assets at work and a company’s wider organizational culture, as its CSC can be shaped, directed, and transformed.
Because business environments constantly change, organizations must actively maintain and adapt their CSC in response to evolving technologies and threats, as well as their changing goals, processes, and structures.
A successful CSC shapes the security thinking of all staff (including the security team), improving resilience against all cyber threats, especially when initiated through social engineering.
5 Ways to Create a Cybersecurity Culture in your Organization
- Begin with a complete audit of the Current Organizational and Cybersecurity Culture
- Understand current cultures, values, practices, and beliefs in the organization.
- Create a SWOT analysis (Strengths, Weakness, Opportunities and Threats) report.
- Build a Cybersecurity Culture Program
- Establish a Cybersecurity Culture workgroup to promote Cybersecurity knowledge generation, as well as the formation of the program and strategy. The core team members should consist of overlapping departments, such as HR, Information Security, Marketing/Communication, IT department, and Risk/Compliance/Legal.
- This core team should work closely with C-suite teams to deliver status reports of the Cybersecurity Culture program and define goals, activities, and performance blind spots.
- Implementation Plans
- After reviewing the results of the gap analysis, the core team can identify weak points in the current Cybersecurity Culture and work to test and improve the system.
- Company-wide campaign activities to raise awareness can take the form of workshops, webinars, game scenarios and mock attacks – including simulated phone calls, fake phishing emails and virus events.
- On-going risk tests and risk analysis ensures continuous education and improvement to mitigate vulnerabilities and strengthen values.
- Communication
- Provide a periodical, newsletter, access to articles, webinars, to maintain the latest organizational achievements and security knowledge ensuring all employees are aware of the Cybersecurity Culture.
- Continue to define acceptable and unacceptable behaviors as an extension of the organization’s overall vision and mission of excellence.
- Regular Evaluation
- Continuous improvement means that a robust CSC program will monitor employee activities to identify potential threats or security issues.
- A Security Operation Center (SOC) team should work closely with the core team members of the program for reporting and overview of improvements to IT security tools and events.
- Core team members are also responsible for sending our surveys to test Cybersecurity awareness and report any issues to management teams to identify systemic issues or specific areas of concern.
Best Practices & Continuous Improvement
Cybersecurity Culture is an ongoing process of learning that delivers measurable benefits to the organization and transformative behavioral impact. The difference between Cybersecurity Culture and Cybersecurity Awareness is that Cybersecurity Awareness can be regarded as a subset of Cybersecurity Culture. Employee awareness or understanding is simply one element of a holistic Cybersecurity Culture.
A Cybersecurity Cultural program takes a broader perspective and more nuanced view of an employee’s cybersecurity posture, encompassing behaviors, attitudes, norms, beliefs, interactions, values as well as engaged awareness.
A Cybersecurity Culture (CSC) requires comprehensive engagement from all levels of employees. Therefore, every employee is responsible for not only their own behaviors but assisting in creating an IT environment that aligns with Cybersecurity practices and policies across departments in an organization. The right tools and on-going training can ensure compliance as threats evolve and technologies change. Do not wait until it is too late. Focus on developing and implementing a Cybersecurity Culture now!