Cyber-attacks happen. If some of the world's largest organizations and even cybersecurity companies can fall victim to cyber-criminals, it can happen to anyone. While it's not desirable by any stretch of the imagination, it's not the end of the world. Organizations should treat cyber incidents as a teachable moment, examining what went wrong and how they can prevent it from happening again; a cyber-attack is an opportunity to cultivate a positive security culture.
However, business leaders often struggle to implement security measures without being overbearing. The line between an organization that empowers its employees to carry out their role safely and one resembling an Orwellian overlord is incredibly thin; this article will explain how you can walk that line.
What is a Positive Security Culture?
A positive security culture is one in which employees feel comfortable and confident speaking openly about security issues and that their organization will judge their actions or decisions fairly and empathetically. Positive security cultures liberate staff, ensuring they make decisions that protect the entire organization, not just themselves.
Positive security cultures have four essential components:
- Strong Leadership: Company executives – CISOs in particular – must lead by example, demonstrating their commitment to security and promoting a culture seen as a fundamental part of the business, not a hindrance.
- Clear Communication: Organizations must establish effective communication channels where staff can express security concerns, ask questions without fear of judgment, and report cybersecurity incidents anonymously or without fear of consequences. Security teams must collaborate and communicate with other departments and explain why they are introducing policies rather than simply enforcing them.
- Simple Reporting: Complex or time-consuming reporting processes will prevent employees from flagging cybersecurity incidents. Organizations must establish transparent, accessible reporting processes and ensure employees know them.
- Awareness Training: Employees need regular cybersecurity awareness training to identify possible threats and avoid falling victim to social engineering scams. Organizations should tailor training to specific job roles and levels of technical expertise to avoid overloading staff with unnecessary information.
Striking a Balance
Cultivating a positive security culture without becoming ‘Big Brother’ relies on balancing monitoring, governance and trust. For example, many organizations are reaping the benefits of artificial intelligence (AI) and machine learning (ML) solutions in the form of insider threat management tools. Considering insider threats are a growing problem, this is an advisable move.
However, these solutions leverage behavioral analytics, monitoring employee activity around the clock. Understandably, staff may be discomfited by the idea that their organization is constantly watching them. Organizations must prove to employees that this monitoring is purely for security purposes and will never fall into the hands of HR or performance review teams.
Similarly, transparency is critical to ethically cultivating a positive security culture. Security teams must communicate the purpose and scope of all security measures, emphasizing that they are solely for safeguarding the organization and its stakeholders. Organizations should produce written, accessible policies and guidelines that employees can refer to.
Establishing good relationships between security teams and other departments is essential for a positive security culture. Encourage regular inter-departmental conversations to ensure employees feel comfortable with security teams – team-building exercises, cross-functional projects and collaborative initiatives are great ways to achieve this.
Organizations should also celebrate success stories wherever possible. Employees tend to only hear about cybersecurity when there's been an incident and thus have a negative view of it. Organizations should recognize employees who identify threats or otherwise act to defend an organization from cybercrime – shout-out employees in internal newsletters, team meetings or at organizational events.
It's also important to emphasize that cybersecurity isn't just for the organization's well-being but for employee well-being. Many major cyber-incidents have involved staff data, including sensitive information such as social security numbers or credit card details. Unfortunately, not all employees will ultimately care about their employer, but they will care about themselves.
Involving employees in incident response is another great way to encourage organizational transparency and foster a positive security culture. When an incident occurs, security teams should invite employees to contribute to the response process so they better understand why the event occurred, how it could have been prevented and feel a valued part of the organization.
A positive security culture involves strong leadership, clear communication, simple reporting processes and regular cybersecurity awareness training. Employees should feel comfortable reporting cyber incidents and discussing cybersecurity concerns. To avoid being perceived as ‘Big Brother,’ organizations should encourage good communication between security teams and other departments through team-building and cross-functional projects. Transparency is critical to a positive security culture, and organizations should make every effort to explain to staff why security policies are necessary.