Five Steps to a Cybersecurity Culture
July 29, 2019 by Loren Lachapelle
In the current cyber threat environment, organizations must be vigilant. Vigilance begins with preparation. Being prepared starts with being aware. To be successful, you need to develop cybersecurity awareness throughout your entire organization, which leads to organizational practices that support the secure execution of your business strategy. You need to create a culture of cybersecurity.
Here are five steps to help your organization advance your cybersecurity efforts – and make sure they stick.
1. Create Institutional Memory
Developing a cybersecurity culture begins with institutional memory – that is, knowledge and information that’s out of someone’s head and into a “living” document. Active organizational documentation, including the following types of hardcopy or digital files, will all contribute to the first step in a successful cybersecurity culture:
- Policies;
- Procedures;
- Guidelines;
- Asset inventories;
- Change documentation;
- Network infrastructure diagrams;
- Data flow diagrams; and
- Continuity of Operations Plans, such as Business Continuity Plan (BCP), Disaster Recovery (DR), Incident Response Plan (IRP), and Vendor Management.
2. Invest in Your People
In order for your cybersecurity culture to endure, you must include the people who are the core of the organization. Without people, there is no culture. It all starts at the top. Leaders must lead by example when it comes to cybersecurity, and actively participate in, and be supportive of, the mission to be secure.
The mission of cybersecurity should also be communicated to prospective employees as part of the hiring process. Job descriptions should include cybersecurity responsibilities for each role, and at minimum include the responsibility for following policy and participating in the protection of information entrusted to the organization.
Regardless of role, everyone in an organization should have some level of cybersecurity training – because everyone has some responsibility to the organization. We recommend a cybersecurity awareness training led by an instructor at least annually for your entire staff.
Finally, your staff should want to feel motivated to be part of the cybersecurity culture. It is wise to include everyone’s results of testing activity and policy performance – including security metrics and security performance – in their annual performance review. This reinforces importance and promotes participation in your cybersecurity program.
3. Develop Processes
When building a cybersecurity culture, process plays a critical role. Every process should include learning, improvement, and accountability touch points, as well as provide end-to-end corroboration of the function it represents. Here are some examples of critical processes:
- User equipment and provisioning
- This must be centrally managed and appropriate system access should be granted according to their role, be changed if their role changes, and be removed at the time of termination.
- Change Management
- The change management process includes controlled identification and implementation of any changes you may be making. These change-types should be pre-determined according to the risk they present, and controls around the change-type should commensurate with the risk.
- Be sure to document the changes and provide end-to-end corroboration of the function the change-type represents. Remember to tie all changes performed to changes approved.
- Cyber Risk Management
- Effective risk management starts with organizational risk criteria to guide you in your risk assessment process that involves: 1) Understanding your vulnerabilities and the existing threats that might exploit them; 2) The impact to your organization if a vulnerability were to be exploited; and 3) The likelihood of exploitation, given your control environment.
- Risk assessments should be scheduled, and you’ll also want to have a programmatic remediation process to deal with risk mitigation and remediation activities.
- Account Review
- This process should have centralized management with distributed performance, meaning that somebody owns a task, but performance of the reviews goes to managers who have the custodial responsibilities and know who actually needs access to each system.
- Activity Review
- Daily log analysis is an important process to understand what has been allowed to pass through preventative control layers and ensure malicious activity is detected.
- Threat Intelligence
- An effective threat intelligence process includes: 1) Identifying sources that define and explain the evolving threat landscape relative to your business; 2) Documenting how the sources will be used; and 3) Assigning roles and responsibilities for collecting, assessing, distributing the information, and acting on it if it applies to your environment.
- System Lifecycle Management
- Security should be woven into all lifecycle management conversations – from acquisition to destruction. It’s much easier to involve security from the beginning.
4. Technology
Technology – along with people and process – is a central part of your cybersecurity culture, and there is a culture around every technical control of it’s just a box with the lights on. For example, it’s not enough just to buy a firewall and plug it in. The culture around the firewall includes:
- Documented business justification for each rule allowing traffic in and/or out. What business purpose does each rule support?
- Patching and updating of the firewall’s firmware
- Physical security of the device(s) itself
- Backups of configuration
- High availability pairing for fault tolerance
5. Practice and Testing
Now, you’re on the path to creating a lasting cybersecurity culture. You’ve built a foundation of institutional knowledge, and you’ve carefully considered how people, process, and technology play a role. There’s one more element to think about, and that’s practice and testing.
Have you ever done well on a test that you haven’t practiced or prepared for? Most likely, you haven’t. Your test results will often dramatically improve when you practice. Practice can help your employees learn without the pressure of performing.
Testing can also assure that your controls are working as designed and intended to, and includes:
- People – Test the people by doing social engineering experiments (such as network and telephone pretexting) to ensure that employees know how to identify fraud attempts. Phishing emails will also help them with identifying fraudulent emails.
- Process – Audits can help you determine if processes are working and will allow you to understand if everything is operating according to policy.
- Technology – Performing external penetration testing, internal configuration analysis and vulnerability scanning, as well as disaster recovery testing will help keep your technology knowledge and implementation up to date.
When you’ve integrated your people, processes, and technology (and do frequent checking and testing of it), you will have successfully developed a lasting cybersecurity culture in your organization and have all the tools needed when it comes to preventing and defending cyber-attacks.