Cybersecurity Culture: People First
August 07, 2020 by Becky Metivier
Building a strong culture of cybersecurity in your organization can mean an incident only causes a minor interruption to business as usual, and not a major disaster declaration (or worse). Cybersecurity is made up of three important elements – people, process, and technology – and each must be developed for a cybersecurity culture to endure.
There is a tendency to get into an IT-first conversation when discussing cybersecurity, but it’s really a people-first conversation. Without people there would be no culture and nothing to protect. Here are some actions you can take to bring people into your security culture.
#1. Leadership, Governance & Oversight
It all starts at the top. Leadership must set the tone for a culture of cybersecurity. They need to take accountability for their own actions, as well as the actions of their workforce. Leaders must lead by example when it comes to cybersecurity, and actively participate in, and be supportive of, the mission to be secure.
Investments made in the protection of information, people, and the business mission must be communicated clearly and in multiple ways. Some ways are overt, but others must be integrated into normal business functions. Not hidden, just as part of business as usual. It’s woven into how the business perceives itself and its mission. It’s not enough to simply do business; you must commit to doing business securely.
#2. The Hiring Process
The mission of cybersecurity should be communicated from a person’s first interaction with your organization. Job descriptions should include cybersecurity responsibilities for each role type, including standard end users. Responsibility for following policy, participating in protection of information, etc., should be explicitly listed in the job description, so it can be measured.
Background checks should always be performed prior to hire, and periodic re-checks should occur for critical or sensitive functions.
#3. Cybersecurity Training
You will most likely offer different types of training depending on the person’s role within the organization; however, everyone in the organization should have some level of cybersecurity training. Regardless of role, everyone has some responsibility, even if it’s just the basics like adhering to policy or reporting incidents. Training is essential for awareness and preparedness.
We recommend cybersecurity awareness training at least annually for your entire staff. Instructor-led is most effective because asking questions in a live setting reduces misunderstanding. Concepts can be sufficiently absorbed into people’s psyches during in-person training, so they can effectively practice. Computer-based training is a great augmentation.
#4. Performance Reviews
Include an employee’s results of testing activity and policy performance – including security metrics and security performance – in their performance review. This not only reinforces its importance, but it can also promote participation in your cybersecurity program. If a component of their performance is participation in your program, then it can also be tied to bonuses, raises, and promotions.
This can be tracked through testing activity, such as a social engineering assessment. Did they click the link? Or provide information over the phone? It can also be tracked through policy performance. How are they adhering to the end-user acceptable use policy? The remote access policy? The mobile policy?
People conceive, design, configure, and use all the tools of business and create all the information. Without people, there’s nothing. A culture of cybersecurity cannot exist if your people don’t participate.