Creating A Culture Of Cyber Security Throughout An Organisation

It lies within the essence of any good cyber security officer (CISO) to naturally want to engineer, foster and encourage a culture of pervasive cyber security awareness that spans across the organisation and is usually formulated on values that are already integral to the organisation – aligning closely to employee trust, responsibility, and empowerment ethics.

These CISOs are the risk management professionals who live and breathe with the knowledge that any lapse by any employee can leave the entire organisation exposed and vulnerable, closely understanding the importance and safety that adherence to a detailed cyber security plan brings. 

Yet for roles outside of IT security and IT infrastructure, embarking on this full cultural change path isn’t always easy. Some CISOs struggle to gain an immediate internal acceptance of cyber initiatives as invariably extra security processes increase workloads, or in more extreme scenarios, can initially decrease productivity levels as users grapple with additional layers and verifications.

Instead, CISOs should embark on a graduated path of cyber security sensitivities. There are three routes in this journey that CISOs need to become adept at developing. 

Creating True Culture Change

First, if they are to successfully build defences, CISOs need to fully understand roles and processes in the existing regime to understand why and when job functions rely on systems internally and externally that could pose and increase vulnerabilities.  

Secondly, as with all successful change, CISOs should spend the first months of cyber change initiatives on the ground, familiarising themselves with workflows and identifying suitable departmental ‘champions’ who can act as envoys or ambassadors. They will become practical flag bearers for ongoing change who will be on-point for communications for threat handling and remediation. These departmental cyber champions will also field questions and interactions about cyber concerns, as you would with a local First Aider/Health and Safety Officer. Creating any true culture change needs to facilitate two-way communications from day one and needs to embrace everyone, so selecting the right team is essential.

Recognised accredited cyber training relevant to the expected outcomes of a cyber ambassador is critical here as responsibilities move outside of IT. Not only does individualised cyber training bring empowerment and extra capabilities internally, but it leads to personal recognition that reflects positively on future career opportunities.     

Once a thorough understanding and development of network of cyber ambassadors is in place, CISOs need to quickly move to developing extra employee security practices and providing direction on ongoing cadences. But these new or enhanced security prevention measures invariably add to the time that it takes for employees to finish jobs. Collective attitudes towards prioritising cyber – and by extension, creating a cyber culture – can only be changed by first educating employees on the importance and rationale in changing behaviours or methods of completing a task.

This education process can take many forms, starting with various impacts via a series of simple simulated attacks that provide anonymised responses back to risk professionals to highlight gaps in knowledge and provide early indicators on how easily breaches may occur and how new cyber processes can be effectively adopted. 

Additionally, real world documented examples are often used to show how breaches have been catastrophic in similar sized organisations. Ongoing interactive education is key to building a continued culture of security. Education and learnings on the impact of the breach ramifications - from the board level to new recruits – is essential, at all times building cyber security as an enabler rather than another workflow process to achieve. Successful companies who avoid security breaches on an ongoing basis additionally bring the importance of cyber security into annual employee reviews, keeping it top of mind and primary to employees’ performance (and renumeration). HR therefore also play a key part determining a blame-free, but responsible, empowering security culture. 

The Right Tools & Resources

Setting a culture by its very nature, means that all are driving for the same goal. That means gentle, but constant re-enforcement. Often headlines as simple as the 2020 report that showed 79% of US organisations had succumbed to phishing attacks* can lead CISOs to test their own resiliency with fake phishing attacks to see who inadvertently opens untrusted links. And here’s where the third part of cyber empowerment needs careful handling to avoid falling into negative scare tactics when results highlight gaps. CISOs for their part, need to at all times, empower employees with the right enterprise monitoring tools and resources to intelligently identify, question and report suspected attacks. 

They also need to deploy easy to use, reliable preventative tools such as password managers and dependable email security software, while not neglecting their own role in the ongoing monitoring of asset discovery to see which assets and software are lurking in the infrastructure (or may have recently added to the infrastructure) Endpoint security, especially in hybrid environments, is more important than ever to be fully enabled to make employees cyber safe and aware. 

Once a culture exists internally, next, CISO attention must turn toward suppliers and partners who themselves can create entry points for breaches. This can be achieved by clearly setting the organisations cyber security expectations and asking suppliers to prove compliance and adherence towards these documented standards but within a realistic, agreed timeframe. 

Research highlights that successful behavioural change is always a two-way exchange. To achieve an ongoing culture of acceptance, any deployments made by cyber security officers must exist alongside employee productivity so that being security conscious is viewed as a positive and worthwhile experience for the entire organisation. 

Michael Cantor is CIO of Park Place Technologies

You Might Also Read: 

Directors Must Understand Their Organisation’s Cyber Risks (£)

 

 

« Elon Musk Isn't Buying Twitter
New Scanning Tool Protects Websites From Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

OXITS

OXITS

OXITS provides end-to-end IoT security, authenticating device communications, protecting code, applications and securing devices from threats.

Kramer Levin

Kramer Levin

Kramer Levin is a full-service law firm with offices in New York and Paris. Practice areas include Cybersecurity, Privacy and Data Protection.

Carbon Black

Carbon Black

Carbon Black delivers the industry’s most complete endpoint security platform.

One Identity

One Identity

One Identity delivers identity governance, access management, and privileged account management solutions that facilitate and secure your digital transformation.

Nuvias Group

Nuvias Group

Nuvias Group is a specialist value-addedd IT distribution company offering a service-led and solution-rich proposition ready for the new world of technology supply.

macmon secure

macmon secure

macmon secure develops network security software, focussing on Network Access Control.

Real Random

Real Random

Real Random is on a mission to enhance existing and new crypto-systems with its revolutionary solution to generating numbers that are Truly Random.

Digital Resolve

Digital Resolve

Digital Resolve delivers solutions that help companies maintain trust and confidence through proven and cost-effective fraud-protection and identity intelligence technology.

Norsk Akkreditering

Norsk Akkreditering

Norsk Akkreditering is the national accreditation body for Norway. The directory of members provides details of organisations offering certification services for ISO 27001.

Dashlane

Dashlane

Dashlane puts all your passwords, payments, and personal info in one place that only you control. So you can use them instantly. Securely. Exactly when you need them.

Active Countermeasures

Active Countermeasures

Active Countermeasures believe in giving back to the security community. We do this through free training, thought leadership, and both open source and affordable commercial tools.

QGroup

QGroup

QGroup has been re-designing the consultancy industry since 2012. We're a rapidly expanding group of consulting companies that deliver bespoke IT services including cybersecurity.

Syracom

Syracom

syracom is a consultancy firm specialized in development of efficient business processes. With our expertise and IT competence, we develop tailored solutions for customers in various industries.

Atlantic Data Security

Atlantic Data Security

Atlantic Data Security is skilled in the analysis, recommendation, deployment, and management of all critical components of the security infrastructure.

Otava

Otava

Otava is a global leader of secure, compliant hybrid cloud and IT solutions for service providers, channel partners and enterprise clients.

Menaya

Menaya

Menaya provide Ethical Hackers for leading companies while also providing cyber security solutions to help major infrastructures protect against cyber crime.