Current efforts in cybersecurity aren't cutting it.
Organizations buy next generation defenses...they still get hacked.
Organizations embrace a zero trust approach (well, as close as they can get to zero trust)...they are still hacked.
They provide security awareness training on demand...people still click...hackers get in.
They put in place policies and procedures to curb fraud...some insiders still manage to steal from the organization.
Inadequate attention is paid to building a strong Security Culture.
A Security Culture should permeate the organization, not just be something "sprinkled on top". A strong Security culture is one where everyone recognizes
People make mistakes and should not be shamed or berated
Open communication is vital
Hackers will always get in
It's vital to speak up ASAP when you note something wrong
Such a culture does not happen overnight, and it does not happen on its own. It requires careful, intentional efforts. It starts at the top.
Learn from a Culture of Safety
In Aviation, Healthcare, Manufacturing, and other sectors, you often hear about building a strong "Culture of Safety." This is one of the highest priorities for organizations whose operations can impact human life. Building a culture of safety is foundational. Without it, human lives will be lost.
This is nothing new. Much has been written about "just culture" and "safety culture," and there is no shortage of blogs, books, and leadership courses covering the topic.
With the great increase in likelihood and impact of cybersecurity events, it is no longer adequate to simply educate people about the basics and leave them to their work.
There needs to be a strong "culture of security." Everyone needs to feel free to speak up when they see something wrong or make a mistake.
The Weakest Link?
How many times have you heard “people are the weakest link” in a cybersecurity presentation? The numbers seem to bear out the truth of this statement [1] — most cyber-attacks start with a human mistake — but it doesn’t paint the whole picture.
Lior Div, who was a member of Israel’s Unit 8200, stated that they were always able to break into any organization’s systems but the times when they were unable to achieve their objectives was because some person noticed something odd. The person would continue to investigate, pulling on the thread, until they discovered the infiltration and closed it down.
Yes - people are our greatest weapon in the fight against hackers!
Cybersecurity is a Team Sport!
There needs to be a recognition that people are our greatest allies. Cybersecurity is a team sport – all the way from the intern on up to the executives. People have a varying degree of knowledge and understanding of cybersecurity. Our approach to education doesn't resolve the issue. People are plied with pre-recorded trainings which scratch the surface, and half of them don't even watch.
Build your Security Culture!
Building a security culture does not mean creating paranoia. When you raise security awareness without properly educating people, suddenly every email is being reported as suspicious — even the legitimate ones. Activity slows in an organization where no one trusts anything.
An organization with a strong security culture is one where people are not afraid to speak up when they see something that represents a security risk. Instead of fear, people are looking to continually improve. They continue to learn and hone their skills so that they can make the right decisions confidently.
We will now consider the various components that go into a culture of security.
It Starts at the Top
The tone of an organization is set from the top. When the executives prioritize security and continually reinforce that message, people will follow. Boeing - with a long and proud history of Safety - lost its safety culture [2, 3] when executives focused on speed to market and containing costs rather than on safety.
Besides setting the tone, Executives also need education — they have questions about cybersecurity! They may be the foremost experts in their field, but they probably don't understand security as well as someone who eats, sleeps, and breathes security. They may also have questions about the latest regulatory changes, such as the new SEC rules around cybersecurity reporting.
An important step in building a culture of security is education of people at every level.
Create a "Just Culture"
"Just Culture" is an important system that many Healthcare organizations strive to create. As noted in this article from Mass General Brigham [4], Paul LeSage, an advisor from SG Collaborative Solutions, LLC, noted:
“Working in a Just Culture means more security around the decisions you make. It means recognizing that humans aren’t perfect and that when you make a mistake you are going to be embraced in the process of trying to understand why the error was made rather than be punished for your mistake,” says LeSage. “For frontline staff that boils down to more security in reporting and being open about errors.”
Many people are already intimidated by technology and security. They don’t speak up when they feel something is wrong because they are afraid of being berated and made to feel that they are inadequate. This needs to be addressed.
Create a statement about your philosophy on Security. It should include:
We recognize that people make mistakes – even tech savvy security pros
We will not berate you for making a mistake
It’s essential that you always come forward immediately
And then you need to reiterate this philosophy over and over again. That only happens when it is reiterated over and over again and the Executives and Management support the decisions of others.
Help Your People in their Personal Life
Provide resources that help your people secure themselves in their private lives. These good habits will be reinforced and will carry over into their work. It will also build your relationship with them. Provide a regular newsletter, and additional classes on important topics such as:
How do I protect my Privacy online?
Safe Online Shopping and Banking
I've received a breach notification - now what do I do?
Helping Seniors stay safe from Fraud
Make Allies
You can’t be everywhere. How can you ensure that security has a voice at all of the various business meetings? Create a program of “Security Champions.” Identify those individuals who truly appreciate security, or at least have a degree of interest. Provide those people with additional education. Help them to see how security can help them accomplish their mission and reduce pain.
Policy and Procedure
Policy expresses the commitment and desire of Executives and Top management. Procedures outline specific steps that need to be followed to achieve the desire results while adhering to regulatory, contractual, and other obligations.
Do your policies clearly outline everyone’s security responsibilities? Do you have procedures that clearly and concisely explain what to do when there is a security consideration?
Engage with a cybersecurity professional to review, discuss, and update your Policies and Procedures. This will be a dialogue with each business unit. Policies and procedures are ineffective if they don’t consider business realities.
Your Plan for Building a Security Culture
Engage us for a free consultation so that we can help you build out a stronger security culture. It's free and we will provide you with actionable ideas you can implement right away.
Video Excerpt
This is an excerpt from an interactive session I deliver for organizations in order to arm everyone with the understanding and mindset they need in today's connected world.
References
In an opinion piece for The New York Times, Bill Saporito who has covered the airline industry extensively writes that changes in the company’s culture began decades ago. He pointed to a shift that began in the 1990s when Boeing, in an effort to be more competitive, underwent several reorganizations and purchased its domestic competitor McDonald Douglas. That acquisition in 1997 prompted Boeing to move its headquarters twice and change CEOs several times. Saporito writes, “What Boeing missed, as it tried to dump costs and speed production, was the chance to ensure that safety was a cultural core and a competitive advantage.”
4. https://www.brighamandwomensfaulkner.org/about-bwfh/news/what-is-just-culture-changing-the-way-we-think-about-errors-to-improve-patient-safety-and-staff-satisfaction - Mass General Brigham: "What is Just Culture? Changing the way we think about errors to improve patient safety and staff satisfaction"
Comments