In a world where data breaches, exfiltration and extortion have become normalized, global governing bodies are placing organizations’ cybersecurity policies under greater scrutiny.
Against this backdrop, a strong security culture is the compass that will ensure organizations navigate changes in the regulatory environment with less friction. “Culture eats strategy for lunch” is a truism that permeates cybersecurity planning.
Why? Culture is a guiding principle for good cyber governance because it shapes how people think and act, influencing their decision-making process: Should I click on that link? Does that person I’m on a call with look real or could they be a deepfake? Why is there such urgency around this transaction?
Culture is a supporting structure that empowers employees to stop, pause, take a breath and think about their actions. It is therefore one of the most important pieces of the cyber defense jigsaw puzzle. A good security culture is founded in a few critical factors: communication, empathy and competition.
Communicate, Communicate, Communicate
What I’ve learned over two decades in security leadership is that when it comes to cybersecurity, over-communication is impossible. Engaging employees is a strategic and ongoing endeavor, it is not a ‘one and done’ event. The conversation needs to be a visible part of everyday business and span multiple communication channels.
Cybersecurity also requires many ‘spokespeople.’ It can’t just be me talking about security, our leadership must drive and own conversations – as well as modelling the very behaviors we’re asking their teams to adopt. For example, I can’t tell people to ensure they are using multi-factor authentication if I don’t ensure we have the best product enabled for them to use.
Engage with Empathy
It’s not anyone’s fault that there are threat actors looking to manipulate and take advantage of them. A guiding principle for our team is that we don’t victim shame. That’s essential to ensuring that we cultivate an open culture. If someone has accidentally clicked on something they shouldn’t have, the faster we know about it the better.
If someone feels like they are going to be chastised, they are going to be more reluctant to come forward. Cybersecurity is a human problem that needs to be met with a human response. You can have excellent technology and fantastic process, but all roads lead back to people – people must use the tech, people must engage with your processes and people must feel empowered to speak up when they are uncertain.
Competition Spurs Action
We are a cybersecurity product company. Security must be embedded in everything we design and engineer from the ground up. This is not about us meeting a certain standard – we are the standard and we take that responsibility very seriously. That’s why product and engineering are integrated into our risk management meetings. We want to be working together across the business to swiftly identify anything that could lead to a vulnerability.
A bit of healthy competition between the different teams helps as well. For example, we have built a vulnerability scorecard for our product development teams. This scorecard tracks our key vulnerability metrics and is presented to executive leadership and leaders of the product teams monthly.
Nothing motivates a high performing team like being measured and compared to their peers; everyone wants to be at the top of the leaderboard and have the best vulnerability metrics.
How to Create a Cybersecurity Culture?
A good culture is only a priority if the company makes it one, regardless of which industry it operates in. If you’re looking at how to forge an enhanced cyber culture, the below steps will help to ensure alignment and buy-in:
- Start small: Start small and build. The old adage that ‘Rome wasn’t built in a day’ is true – try to do too much too quickly and you’ll be overwhelmed. Identify your key stakeholders – include HR and communications – and start to map out what a good security culture looks like for your business and the behaviors you want to reward.
- Communicate: Understand the different communication channels you can utilize to engage with teammates. Which are the most appropriate for each message? We rely on a lot of written communication, but company all hands are an opportunity to speak directly with people and provide a platform for Q&A. That two-way communication builds understanding for what you’re looking to achieve and why. And remember, you can’t over communicate!
- Focus on the positive: Avoid creating a list of ‘don’ts.’ People will disengage. Instead highlight the positive steps that people can take. For example, if you are concerned about an email, report it to IT and thank them when they do so. Being thanked for their vigilance is something our team takes great pride in. Providing actionable steps that people a can take reframes the problem from insurmountable to possible.
- Top-down engagement: Security is not just the CISO’s ‘problem’ – it’s a challenge for the whole business. Executives need to underscore and reinforce the need for a good security culture and model those behaviors themselves.
The right cybersecurity culture can be a catalyst for growth and market leadership by guiding and supporting behaviors that protect the business. It’s not something you acquire; you must create and nurture it.