Internal culture is a major determinant in how effective organizations’ cybersecurity practices and behaviors, according to a panel discussion at this week’s Digital Transformation Expo.
They began by looking at how organizations can maintain a strong cybersecurity culture even while many workforces are primarily operating remotely as a result of the COVID-19 pandemic. Sarah Janes, managing director, Layer8, said that organizations must be mindful of the fact that “change is multifaceted, it’s a weave of different conversations with people, hearing things on social media, checking it out with a friend, different opinions.”
Having good communication is inherently more difficult in the work from home model. Nevertheless, James explained that she has been working with companies to develop “security champions”; people who sit in different areas of the business and already are in close contact with their team, to continue the conversation about security. She commented: “It’s important to understand that there’s lots of different things that people may need to know to change their behavior and having local security champions at the grassroots can really enable that.”
Marilise de Villiers, founder and CEO, MdVB Consulting acknowledged that while conversations can take place virtually, they cannot replace the interactions employees have in an office environment, potentially leading to a feeling of disconnect. However, she does believe that those organizations which have leaders who regularly check in with their teams are more successful in helping maintain a culture where all staff feel empowered to speak up to help improved security .
In fact, if done well, the shift to remote working may even prove an opportunity to make better security a company-wide goal, according to James. “I think there always has to be an opportunity to move outside the security teams, to make security work for different parts of the business – we have to take time to build relationships, and understand the perspectives of the different business functions.”
More generally, de Villiers outlined her belief that cybersecurity culture is inherently linked to the overall culture of an organization: “I think organizational cultural either helps or hinders secure behaviors,” she said. As such, the broader values of a company must be taken into account when deciding upon a cybersecurity strategy.
For instance, a key facet of a strong cybersecurity culture is enabling a safe “speak up” environment for all staff, in which anything suspicious or needs to be changed is reported. However, if an overall organization has a fear-based culture, this type of behavior will not be possible. de Villiers added: “I always advise to look at the culture holistically and to see how can we integrate our security efforts with the wider organizational culture.”
Janes added that the way security professionals talk about security in front of senior management in the organization is also crucial to shaping culture, arguing that this needs to be monitored carefully by individuals in these teams. She said: “[For example] are we talking about people being the weakest link, are we talking about are cyber-criminals always be one step ahead of us, because what organizations talk about, they will do more of.”
The panel then delved into the topic of diversity, and discussed why having diverse security teams is important from a business perspective, particularly in developing the right cybersecurity culture within organizations. de Villiers commented: “We need that cognitive dissonance where people can bring in different perspectives but also where those different perspectives are being embraced.”
Janes added: “Diverse teams make better decisions, and organizations that make better decisions perform better… if we bring that into our world, and we think about the critical thinking that’s needed for dealing with an incident, that is immense to be able to make the best decisions.”
Hiring individuals with the right soft skills, such as empathy, as well as technical abilities in security teams is another component of bringing about the right culture across entire organizations, according to Janes. “You can have all the technology in place, you can have your strategies, and they can be the best in the world, but if you lack the ability to build rapport and have a really good conversation with the board, then it makes it really difficult to achieve your objectives,” she noted.
Janes concluded by reaffirming that communication is the foundation for a successful cybersecurity culture: “It is the ability to really integrate and have an understanding of all the different parts of the business.”