Creating A Culture Of Cyber Security Throughout An Organisation

Uploaded on 2022-07-12 in FREE TO VIEW, TECHNOLOGY--Resilience

It lies within the essence of any good cyber security officer (CISO) to naturally want to engineer, foster and encourage a culture of pervasive cyber security awareness that spans across the organisation and is usually formulated on values that are already integral to the organisation – aligning closely to employee trust, responsibility, and empowerment ethics.

These CISOs are the risk management professionals who live and breathe with the knowledge that any lapse by any employee can leave the entire organisation exposed and vulnerable, closely understanding the importance and safety that adherence to a detailed cyber security plan brings. 

Yet for roles outside of IT security and IT infrastructure, embarking on this full cultural change path isn’t always easy. Some CISOs struggle to gain an immediate internal acceptance of cyber initiatives as invariably extra security processes increase workloads, or in more extreme scenarios, can initially decrease productivity levels as users grapple with additional layers and verifications.

Instead, CISOs should embark on a graduated path of cyber security sensitivities. There are three routes in this journey that CISOs need to become adept at developing. 

Creating True Culture Change

First, if they are to successfully build defences, CISOs need to fully understand roles and processes in the existing regime to understand why and when job functions rely on systems internally and externally that could pose and increase vulnerabilities.  

Secondly, as with all successful change, CISOs should spend the first months of cyber change initiatives on the ground, familiarising themselves with workflows and identifying suitable departmental ‘champions’ who can act as envoys or ambassadors. They will become practical flag bearers for ongoing change who will be on-point for communications for threat handling and remediation. These departmental cyber champions will also field questions and interactions about cyber concerns, as you would with a local First Aider/Health and Safety Officer. Creating any true culture change needs to facilitate two-way communications from day one and needs to embrace everyone, so selecting the right team is essential.

Recognised accredited cyber training relevant to the expected outcomes of a cyber ambassador is critical here as responsibilities move outside of IT. Not only does individualised cyber training bring empowerment and extra capabilities internally, but it leads to personal recognition that reflects positively on future career opportunities.     

Once a thorough understanding and development of network of cyber ambassadors is in place, CISOs need to quickly move to developing extra employee security practices and providing direction on ongoing cadences. But these new or enhanced security prevention measures invariably add to the time that it takes for employees to finish jobs. Collective attitudes towards prioritising cyber – and by extension, creating a cyber culture – can only be changed by first educating employees on the importance and rationale in changing behaviours or methods of completing a task.

This education process can take many forms, starting with various impacts via a series of simple simulated attacks that provide anonymised responses back to risk professionals to highlight gaps in knowledge and provide early indicators on how easily breaches may occur and how new cyber processes can be effectively adopted. 

Additionally, real world documented examples are often used to show how breaches have been catastrophic in similar sized organisations. Ongoing interactive education is key to building a continued culture of security. Education and learnings on the impact of the breach ramifications - from the board level to new recruits – is essential, at all times building cyber security as an enabler rather than another workflow process to achieve. Successful companies who avoid security breaches on an ongoing basis additionally bring the importance of cyber security into annual employee reviews, keeping it top of mind and primary to employees’ performance (and renumeration). HR therefore also play a key part determining a blame-free, but responsible, empowering security culture. 

The Right Tools & Resources

Setting a culture by its very nature, means that all are driving for the same goal. That means gentle, but constant re-enforcement. Often headlines as simple as the 2020 report that showed 79% of US organisations had succumbed to phishing attacks* can lead CISOs to test their own resiliency with fake phishing attacks to see who inadvertently opens untrusted links. And here’s where the third part of cyber empowerment needs careful handling to avoid falling into negative scare tactics when results highlight gaps. CISOs for their part, need to at all times, empower employees with the right enterprise monitoring tools and resources to intelligently identify, question and report suspected attacks. 

They also need to deploy easy to use, reliable preventative tools such as password managers and dependable email security software, while not neglecting their own role in the ongoing monitoring of asset discovery to see which assets and software are lurking in the infrastructure (or may have recently added to the infrastructure) Endpoint security, especially in hybrid environments, is more important than ever to be fully enabled to make employees cyber safe and aware. 

Once a culture exists internally, next, CISO attention must turn toward suppliers and partners who themselves can create entry points for breaches. This can be achieved by clearly setting the organisations cyber security expectations and asking suppliers to prove compliance and adherence towards these documented standards but within a realistic, agreed timeframe. 

Research highlights that successful behavioural change is always a two-way exchange. To achieve an ongoing culture of acceptance, any deployments made by cyber security officers must exist alongside employee productivity so that being security conscious is viewed as a positive and worthwhile experience for the entire organisation. 

Michael Cantor is CIO of Park Place Technologies

You Might Also Read: 

Directors Must Understand Their Organisation’s Cyber Risks (£)

 

 

« Elon Musk Isn't Buying Twitter
New Scanning Tool Protects Websites From Attack »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Nordic IT Security

Nordic IT Security

Nordic IT Security is a cyber security business forum in Scandinavia bringing together the converging worlds of IT, Cyber and Information Security.

Finnish Information Security Cluster (FISC)

Finnish Information Security Cluster (FISC)

FISC is an organization established by major Finnish information security companies to promote their activities nationally and internationally.

BA-CSIRT

BA-CSIRT

BA-CSIRT is a center which is dedicated to assist and raise awareness among citizens and the Government of the City of Buenos Aires in everything related to information security.

TechStak

TechStak

TechStak is the easiest way for businesses to find and connect with IT Pros and other technology solution providers in their area.

Mayhem

Mayhem

Mayhem, by ForAllSecure, is a developer-first application and API security testing solution.

Vortiv

Vortiv

Vortiv Ltd (formerly known as Transaction Solutions International Ltd) is a technology based company focused on the cybersecurity and the cloud services sector.

Cyber Risk Institute (CRI)

Cyber Risk Institute (CRI)

CRI is a not-for-profit coalition of financial institutions and trade associations working to protect the global economy by enhancing cybersecurity and resiliency through standardization.

Datrix

Datrix

Datrix is a leading Smart Infrastructure and Cyber Security solutions provider. We deliver critical networking, communications and cyber security solutions to public and private sector organisations.

Intuitive Research & Technology Corp

Intuitive Research & Technology Corp

Intuitive Research and Technology is an aerospace engineering and analysis firm providing services to the Department of Defense, government agencies, and commercial companies.

Sonet.io

Sonet.io

Sonet.io is built for IT leaders that want a great experience for their remote workers, while enhancing security and observability.

S2W

S2W

S2W is a data intelligence company specialized in cyber threat intelligence, brand/digital abuse, and blockchain.

Lupasafe

Lupasafe

Lupasafe is an all-in-one cybersecurity platform for MSPs and SMEs. See all your cyber risks: From training to phishing, darkweb scans, continuous tech monitoring, AI insights, reporting & compliance.

Datos Insights

Datos Insights

Datos Insights is a leading global provider of insights, data, and advisory services to the financial services, insurance, and retail technology industries.

iConnect IT Business Solutions DMCC

iConnect IT Business Solutions DMCC

iConnect is a trusted IT Solutions and Technology Services company, proudly serving clients across the Middle East and Africa.

PrimeSSL

PrimeSSL

PrimeSSL, a leading Certificate Authority (CA) backed by the trusted Sectigo Root, delivers affordable and user-friendly SSL/TLS certificate solutions.

LiveAction

LiveAction

LiveAction’s Network Intelligence platform transforms complex data into actionable insights, providing organizations with a comprehensive view of their network.