Building a Cybersecurity Culture is important in our current threat environment. It can ensure that an incident only causes a minor interruption to business-as-usual – not a major disruption (or worse). Cybersecurity is made up of three important elements – people, process, and technology – and each must be developed for a cybersecurity culture to endure. In part two of our blog series we’ll look at how people fit into a Cybersecurity Culture. There’s a tendency to get into an IT-first conversation, when discussing cybersecurity, but it’s really a people-first conversation. Without people there would be no culture, and nothing to protect.
#1. Leadership, Governance & Oversight
It all starts at the top. Leadership must set the tone for a culture of cybersecurity. This requires that they take accountability for their own actions, as well as the actions of their workforce. Leaders must lead by example when it comes to cybersecurity, and actively participate in, and be supportive of, the mission to be secure.
Investments made in the protection of information, people, and the business mission, must be communicated clearly and in multiple ways. Some ways are overt, but others must be integrated into normal business functions. Not hidden, just as part of business-as-usual. It’s woven into how the business perceives itself and its mission. It’s not enough to simply do business, you must commit to doing business securely.
#2. The Hiring Process
This mission of cybersecurity should be communicated from a person’s first interaction with your company. Job descriptions should include cybersecurity responsibilities for each role type. Even for standard end users, responsibility for following policy, participating in protection of information, etc., should be explicitly listed in the job description, so that it can be measured.
Background checks should always be performed prior to hire, and periodic re-checks should occur for critical or sensitive functions.
#3. Cybersecurity Training
You will most likely offer different types of training depending on the person’s role within the organisation, however everyone in the organisation should have some level of cybersecurity training. Regardless of role, everyone has some responsibility, even if it’s just the basics like adhering to policy or reporting incidents. Training is essential for awareness and preparedness.
We recommend cybersecurity awareness training at least annually for your entire staff. Instructor-led is most effective because being able to ask questions of a live expert leads to reduction of misunderstandings. In-person training allows concepts to be sufficiently absorbed into people’s psyches, so they can be effective in practice. Computer-based training is a great augmentation.
#4. Performance Reviews
Include each individual’s results of testing activity and policy performance – including security metrics and security performance – in their performance review. This not only reinforces its importance, it can also promote participation in your program. If a component of their performance is participation in your program, then it can also be tied to bonuses, raises, and/or promotions.
This can be tracked through testing activity, such as a social engineering test. Did they click the link? Or provide information over the phone? It can also be tracked through policy performance. How are they adhering to the end user acceptable use policy? The remote access policy? The mobile policy?
People conceive, design, configure, and use all the tools of business and create all the information. Without people, there’s nothing. A culture of cybersecurity cannot exist if your people don’t participate.