Do you want to know a secret? We’ve spent too much time getting the culture of cybersecurity wrong! Over the past 20 years, we’ve grown accustomed to using technology to secure technology – and we’re good at it! However, we have done wrong to use technology to secure people. Since humans are the primary attack vector, there is a clear rationale for solving the people problem and it starts with breathing new life into an outdated cybersecurity culture.
Getting the human factor right is key to building a strong and resilient cybersecurity posture. It’s no surprise that routine human error is a major contributing factor to breaches that can undermine even the most resilient cybersecurity measures in the workplace. In our rapidly changing hybrid world where 80% of breaches involve human elements, there is no better argument to completely rethink and reset the way we drive cybersecurity change and drive a strong cybersecurity culture in place. of work.
Ultimately, the stronger your security culture, the more likely people are to behave securely and adopt secure behaviors. Ultimately, if you want your staff to adopt safe behaviors, you need to set the stage by creating an environment where that behavior can flourish.
Understand safety culture and how to build it
Culture is built and shaped by what people think. At bottom, it is about people’s shared attitudes, perceptions and beliefs. A culture of cybersecurity is underpinned by these key principles. The drivers of this positive cybersecurity culture are some of the things that we as humans value the most. Basically, if your organization’s security is too overbearing, inaccessible, or unable to engage with a workforce in a positive way, then people just won’t like the cybersecurity lessons you’re trying to teach. Humans are widely criticized as the weakest link in the cybersecurity chain, but telling people they’re doing it all wrong won’t get you anywhere. You need to educate and grow this cyber culture that touches everyone at all levels of the workforce.
It will come as no surprise that even the best management programs fail if they are not supported by a strong and positive culture. Too often, negative culture is the exact cause of failed vulnerability management programs. Security operations also fail when teams and work culture aren’t supportive and collaborative enough to drive great results. The fact is, no matter how important the safety goal, it is doomed if the workforce believes there is a toxic safety culture. The terms that come up too often to describe this type of poor culture are “punitive”, “vague” and “fear-based”. If you have this kind of problem, how are you going to take the workforce on a cybersecurity journey with you?
The golden rules: how do we do it?
1. Culture starts with the security team. If people find your policies easy to follow and collaborative, you’re on the right track!
Self-awareness plays a major role in this endeavor and security teams need to be able to hold a mirror in front of them and ask themselves “would I accept what I see here?” This is a metric that requires understanding what people think of the security team. While it might seem daunting to ask employees what they think of their cybersecurity team, there’s no better way to get a cyber culture health check and understand what needs to be improved quickly. . To start, you can focus on these key performance indicators.
– Do people feel safe to report incidents? Even the ones they might have been responsible for?
– Does the security team receive regular communications from staff, such as requests for briefings?
– Is the message getting through? If not why ? Is it too technical, too vague or too unknown?
When trying to steer an organization’s security course, remember that emotions matter a lot. It’s essential to facilitate candid speech where employees feel they can freely share their thoughts and feelings on everything from the safety team to policies and training opportunities.
2. Do’s, not don’ts
Success lies in workforce motivation and safety. You don’t do it by technical magic, you do it by understanding people. Look to simple behavioral architecture to see if you can inspire people to do what you want them to do without them even noticing. As experts in what we do, we can be guilty of cognitive overload. How about simplifying this by spelling out in simple, non-technical language what needs to be done to hit the right notes? In cybersecurity, the list of things not to do is endless, so it’s impossible to tell people everything they shouldn’t do. Instead, make it easy for everyone and tell employees the 5 things they should be doing. Isn’t it better for them to take 5 simple actions than to ignore the list of 20 things you tell them not to do?
3. Always keep it simple
When communicating cybersecurity instructions, keep it simple. For example, if you’re rolling out a new password manager, do you think people will take the time to decipher the technical language, or will they care about your well-meaning explanation of the importance of regulation and the company ? It’s a definite no. Why not be the nice ones and tell people how much time they’ll save with this new solution and how much easier their workday will be if they follow a few simple instructions? If writing for a mass audience isn’t your forte, no problem. Take the time to connect with HR or internal communications teams for help communicating your vision in non-technical language. To be effective, writing should always be from the perspective of the people, not the security team. Remember that communication should not be boring and corporate. Putting your instructions into something like a comic book would get a lot more people to absorb what you have to say!
The road ahead
Today, leadership in cybersecurity is no longer just about technology. It’s ultimately about organizational change – a change not just in how people think about cybersecurity, but what they prioritize and how they act – from the board to everyone else. levels of the organization.
Building, managing and measuring a strong cybersecurity culture by leveraging the latest real-world lessons and organizational change models is now a critical business priority. For a security professional, it’s important to see their role as a people manager responsible for helping people change behavior and then changing business goals. Ultimately, managing human risk is why we all do security.
Lance Spitzner is the lead instructor at Sans Institute
Read: Here’s why you should bet on cybersecurity