Cybersecurity Culture: Building a Base
August 07, 2020 by Becky Metivier
In the current cyberthreat environment, organizations must be vigilant. Vigilance begins with preparation. Being prepared starts with being aware. To be successful, you need to develop cybersecurity awareness throughout your entire organization, which leads to institutional practices that support the secure execution of your business strategy. You need to create a culture of cybersecurity.
What is Cybersecurity Culture?
Cybersecurity culture is achieved when an organization’s people, process, and technology are aligned for secure execution of the business strategy. People in every position understand their functional role includes protection of information, customers, assets, other employees, and the organization’s mission.
All workforce members understand the functions – and the risks – associated with the information systems they use. Processes are designed to create closed-loop accountability, as well as provide service to the active institutional memory contained in documentation of those processes. Leadership sets the tone and invests in the culture of “know.”
In short, it’s a culture that allows an organization to continue its mission with only minor interruption despite almost constant attempts to disrupt it. And, the foundation of a cybersecurity culture is institutional knowledge.
The Danger of Tribal Knowledge
Does this scenario sound familiar to you? You’ve been assigned a new task at the office. You locate the standard operating procedure, and try to follow it, but it doesn’t make any sense. You ask your co-worker for help. The response? “Oh, don’t pay attention to the paperwork. You have to ask Dave how to do it. The paperwork doesn’t matter anymore, but he’ll know. He’s been here for 20 years.”
This is what we refer to as tribal knowledge. It’s the information about operations that employees keep in their heads. It’s the real information behind a static written procedure or process that is no longer appropriate or applicable to the organization. And it’s common in many organizations, especially small ones. Keeping policies and procedures up to date and spending time training employees can be perceived as low priority. These types of activities often get bumped to the bottom of the to-do list by higher-priority tasks. But not doing it puts your organization at risk because that knowledge can walk out the door at any time.
The cost of tribal knowledge when it “walks out the door” is quantifiable and significant. It takes real dollars to train people; plus, you can add real dollars in lost productivity, as well as risks associated with system disruption and reputation if a function is not executed accurately and/or safely. It takes much more time to update severely outdated documents compared to keeping them alive. And. disruption can be significant – up to and including having to replace whole systems – because you don’t have anyone in the institution who knows how to use a certain legacy system important to operations. We’ve seen this happen. An organization lays-off a whole team – either by accident, poor planning, or intention – and no one existing in the organization understands how to run the tool or even log into it.
Institutional Memory
Institutional knowledge is information that’s out of someone’s head and into a “living” document. Therefore, creating institutional memory is all about documentation – active organizational documentation, hardcopy and/or digital, including:
- Policies
- Procedures
- Guidelines
- Asset inventories
- Change documentation
- Network infrastructure diagrams
- Data flow diagrams
- Continuity of operations plans, such as business continuity plan (BCP), disaster recovery (DR), incident response plan (IRP), and vendor management
Of course, this isn’t an exhaustive list, but you can put most anything in one of these buckets. What’s most important is this takes active documentation, so it’s part of an ongoing process not a point-in-time engagement. You should never put these documents on a shelf and say, “Well, I’m done with that.” You need to have a process to keep these documents ALIVE and MEANINGFUL.