In a world where data breaches, leaks, and extortion have become commonplace, global governing bodies are putting organizations' cybersecurity policies under increased scrutiny.
Against this backdrop, a strong security culture provides a compass that helps organizations navigate changes in the regulatory environment. “Culture eats strategy” is a truism that permeates cybersecurity planning.
why? Culture guides good cyber governance because it shapes how people think and behave and influences decision-making processes. Should you click on that link? Does the person on the call look real, or could it be a deepfake? Why is there so much urgency behind this deal?
Culture is a support structure that allows employees to pause, pause, breathe, and reflect on their actions. Therefore, it is one of the most important pieces of the cyber defense jigsaw. A good security culture is built on several key ingredients: communication, empathy, and competition.
communication, communication, communication
What I've learned over my 20 years as a security leader is that you can't overcommunicate when it comes to cybersecurity. Employee engagement is a strategic and ongoing effort, not a “one-and-done” affair. Conversations are a visible part of daily work and must span multiple communication channels.
Cybersecurity also requires many “spokespeople.” I'm not the only one talking about security. Our leaders need to drive and lead the conversation. We also need to model the very behaviors we want our teams to adopt. For example, you can't ask your users to confirm they're using multi-factor authentication unless you're sure they've enabled the best products available.
work with empathy
It's no one's fault that there are attackers who try to manipulate and take advantage of these things. Our team's guiding principle is to avoid embarrassment. It is essential to fostering an open culture. If someone accidentally clicks something they shouldn't, the sooner you know, the better.
If someone feels like they will be blamed, they will be more hesitant to come forward. Cybersecurity is a human issue and requires a human response. You can have great technology and great processes, but all roads lead to people. People have to use technology, people have to be involved in your process, people have to feel empowered to speak up when they have concerns.
competitive spurs action
We are a cybersecurity products company. Security must be built into everything we design and design from the ground up. This does not mean we meet any particular criteria. We are the standard and we take that responsibility very seriously. That's why product and engineering are integrated into the risk management board. We want to collaborate across the business to quickly identify potential vulnerabilities.
Healthy competition between different teams also helps. For example, we created a vulnerability scorecard for our product development team. This scorecard tracks our key vulnerability metrics and is presented monthly to executives and product team leaders.
Nothing motivates a high-performing team more than being compared and evaluated against other teams. Everyone wants to be at the top of the leaderboard and get the highest vulnerability index.
How do you build a cybersecurity culture?
No matter what industry you operate in, companies will prioritize a great culture only if they build a great culture. If you're considering how to build a stronger cyber culture, these steps will help ensure alignment and buy-in.
- Let's start small: Start small and build. The old adage “Rome wasn't built in a day” is true. If you try to do too much too quickly, you'll feel overwhelmed. Identify your key stakeholders, such as human resources and communications, and start planning what a good security culture looks like for your business and what behaviors you want to reward.
- connect: Understand the different communication channels available to engage your teammates. Which one is most appropriate for each message? Although we rely heavily on written communications, we provide opportunities across the company to speak directly to people and provide a platform for Q&A. This two-way communication provides a better understanding of what you are trying to accomplish and why. And remember that over-communication is a no-no.
- Focus on the positive. Don't make a list of “don'ts.” People move away. Instead, highlight positive steps people can take. For example, if you have a concern about email, bring it up to your IT department and say thank you. It is a source of great pride for our team to be thanked for their vigilance. Reframe problems from insurmountable to possible by providing actionable steps people can take.
- Top-down involvement: Security isn't just a CISO “problem”; it's a business-wide challenge. Executives must emphasize and reinforce the need for a good security culture and model the behavior themselves.
The right cybersecurity culture is a catalyst for growth and market leadership by guiding and supporting actions that protect your business. It's not something you earn. You have to create it and nurture it.
