Once the executive team, in collaboration with the CISO and other cybersecurity experts, has developed a clear cybersecurity position, actions must be taken to permeate the cybersecurity culture within every part of the company.
An organization’s cybersecurity culture defines the proper way to behave within the organization as team members use digital equipment and assets to conduct their work. Ultimately, a cybersecurity culture consists of the shared beliefs, values, and strategies established by executive leaders for protecting company data and digital assets. These areas must be communicated and reinforced through various methods, ultimately shaping employee perception, behavior, and understanding concerning the firm’s cybersecurity position.
In short, a cybersecurity culture must facilitate the entire company’s understanding of the benefits of being a more secure organization—benefits like better serving customers, increasing profitability, strengthening the company’s reputation—and the negative consequences of unsecured data. All employees must understand their role, be open to ongoing learning, and be enthusiastic about celebrating success.
Indicative of the progress many companies need to make in this area, the above-mentioned ISACA and CMMI Cybersecurity Culture Report2 revealed that 60 percent of companies don’t have widespread employee buy-in, 42 percent of organizations don’t have an IT culture plan, and 55 percent think the CISO owns the company’s cybersecurity position. But organizations can change this by making the following modifications:
Share the Bigger Picture
Share where cybersecurity fits into overall corporate strategies and goals. Explain the roles each functional team and individual team member need to play, based on the position and strategic decisions the executive leadership makes.
Provide Regular Training and Education to Increase Team Member Confidence
Cybersecurity professionals understand that technology users are the most significant risk to cybersecurity. Criminals have become increasingly proficient at researching and targeting their victims and will capitalize on any mistake employees make. However, regular training and exercises, like phishing simulations, can be helpful. Also, sharing information on the latest attack strategies and providing education that includes examples work well.
Many employees are afraid to inconvenience the IT or cybersecurity team with something they think might be silly. Adamantly encourage all employees to share anything that looks suspicious with IT and try to offer as much feedback as possible to increase their knowledge about potential cyberattacks. Furthermore, suppose an employee reports something that might seem a little silly to individuals with more cybersecurity knowledge. In that case, it is critical that IT personnel do not make employees feel silly and that they are thanked for their cooperation.
Encourage Two-Way Listening
Open communications between the IT department and technology users is vital as many vulnerabilities are created by technology teams inadvertently creating too much process friction in their pursuit of stronger security. If completing work becomes too hard, employees will create workarounds—like shadow databases and financial reports—to enhance their productivity and make their lives easier. In many cases, there will need to be compromises between security and productivity to develop solutions that align with the company’s cybersecurity culture.
Engage Employees, Don’t Lecture Them
Cybersecurity policies and procedures must be updated regularly. But these updates need to be compiled, so they are easy to understand. They should be as concise and interesting as possible and not disseminated so frequently that recipients become increasingly tempted to tune out.
Celebrate Individual Successes
Highlight examples of successful employee efforts, no matter how small. This will make the employee who took action feel valued and will reinforce the idea that all employees have an important role to play.
Celebrate Organizational Success
If the organization meets specific cybersecurity performance metrics, celebrate. If there is a breach, but it was handled well, and the damage was minimized, celebrate that as well.
With the proper vision, steps, planning, and communication the cybersecurity culture established by your executive team will work its way through your entire organization. If SilverSky’s Professional Services team can help you as you undertake this journey, don’t hesitate to contact us.