A panel of experts discussed ways organizations should establish a security-first culture during day one of the Cloud & Cyber Security Expo at Excel, London, UK.
Moderating the session, John Scott, head of education, cybersecurity division, at the Bank of England, outlined his belief that security culture is about "how closely your business and security are aligned."
An important tenant in this approach is effective user education, which Ben Jenkins, senior solutions engineer at Threat Locker, said needs to demonstrate to staff "why it is they are being trained." He added that it is very easy for organizations to invest in security technologies, but users will generally tend to try and find ways around systems to make their lives easier. Therefore, explaining to end-users why those technology solutions are in place is fundamental to ensuring these tools are effective.
Jack Hayward, head of information security at the Wellcome Trust, stated that the most significant barrier to an effective security culture is ensuring people "understand they have a part to play" in their organization's cybersecurity. He noted that historically, IT teams are seen as being there to protect everyone. However, this mindset doesn't work anymore, as all staff "need to access the internet, use email," putting them out of reach of security teams' protection.
Jenkins emphasized that while user awareness training is important, tech solutions are highly necessary, as there will always be situations where users make errors, such as clicking on a phishing link on an email. For example, he noted the vast majority of ransomware incidents are caused by a user clicking a malicious link in an email, something that can never be completely eliminated. After all, cyber-criminals "only have to be lucky once" to get through.
Sometimes, users are put in the position to make a "least-worst decision" regarding cybersecurity; for example, after they have made an initial error, noted Scott. He asked how users can be trained to deal with such scenarios. In Hayward's view, the key is developing a "safe opportunity to report things," which is an environment where staff know "they are not going to be shouted at or fired" for their mistakes.
The panel then discussed the role of senior leadership in engendering a security culture. Jenkins said getting buy-in from senior leaders is critical since a security-first culture is impossible without it. He believes security teams need to provide regular webinars and training for senior leaders on cybersecurity to demonstrate "why they need solutions" and show them stats on cyber-attacks.
Hayward concurred but argued a slightly different approach has to be taken to gain buy-in at the board and c-suite level. This includes "talking about risk in financial terms," which will make them "immediately understand." Another is conducting regular breach simulation exercises to showcase what would happen to a business in practical terms following a successful attack. "Otherwise, it doesn't really hit home," added Hayward.
Scott also asked what first steps organizations should take when developing a security-first culture. Hayward argued that "humility is most important," whereby IT teams should avoid positioning themselves as protectors and instead clearly tell staff they are part of the solution.
Agreeing, Scott said security teams should show staff they're working with them in security, and in playing this role, "they're helping the business."