How to Build a Culture of Cybersecurity

Written by

It is clear from the headlines about breaches that many people still do not take cybersecurity seriously. The majority of these breaches were enabled by an employee inadvertently taking an action that enabled the breach. In spite of the highest levels of management insisting that it is a priority to protect data, why is it that some of us take those enabling actions? Why isn't everyone on board with cybersecurity?

There are two fundamental problems that exist: one is that cybersecurity is seen as the responsibility of the IT security group. Another is that too often the security awareness training does not convey the idea that everyone needs to integrate secure behaviors into their day-to-day actions. We may hear that cyber-threats are a scary thing, but we think of it as someone else's problem to solve.

The failing is in the way the cybersecurity message is conveyed from the top throughout the organization; the delivery of the message is delegated to a training program that is infrequent and inadequate in expressing the importance of doing day-to-day work in a secure fashion.

Don't Just Delegate, Get Involved
The lack of direct involvement by executive management in encouraging all to integrate secure behaviors into everyday work places it at a low priority. Research shows when management support for security awareness is not highly visible, the awareness training programs have little effect. On the other hand, organizations that say that their awareness programs are driving change overwhelmingly attribute it to involvement from executive levels living and promoting a culture of security.

Breaches Can Have a Big Impact on Bottom Line
In those cases, what motivates those at the top to motivate the rest of the organization? Typically competitive advantage drives the effort; protecting data is good for business. Often the greatest financial harm results from lost business. For examples, large retailers can lose millions in revenue during the time period after a breach. Even worse, the negative view from the public after a breach can result in missed revenue that is nearly impossible to measure. This is on top of costs related to the breach itself.

Walking the Executive Sponsorship Talk
Sponsorship of a security-awareness program must go beyond endorsing or even funding a program. Key players must make themselves visible in promotional messages to their user audience, at new-hire training and other training events, and at the introduction of online training modules.
Perhaps the most important endorsement executive management can place is the emphasis on security when setting priorities for middle management. While we hear of CEOs leaving their company shortly after a breach, it is not unusual that middle management feels no responsibility for securing data. That is the responsibility of IT security, after all. Just as executive role modeling is the foundation for getting everyone on board, middle management can play a big part by encouraging staff to take the time to incorporate secure practices into the workday.

When You Spend Money, Spend It on a Program That Works
Finally, there is a financial investment that can be made by the executive team, a small one in comparison to the costs of some of the larger breaches: a robust security awareness training program. A robust training program is one that shows, not tells, the user what secure work behaviors look like; a program with a high enough frequency that those behaviors have a chance to take hold and become work habit.

Staying Secure in a More Connected World
Starting at the top, with an eye on the bottom line, executive management has the opportunity to build a culture of security with a security awareness training program that shows secure work behaviors.

What’s hot on Infosecurity Magazine?