The phrase “security culture” is uttered frequently in the cybersecurity industry and as we find ourselves in a highly volatile and security-focused era, business decision makers are beginning to realise the importance and significance of these two words. Having a strong security culture is an ideology that many strive to seek but, in reality, very few achieve. Many have been misguided, believing they have accomplished this feat but, when pressured or scrutinised, it is revealed this is false. And the stats around this issue further highlight this failing as nearly three-quarters of security leaders reported that their organisations experienced a security incident in the last year, while almost all stated they have security culture embedded but are still experiencing security incidents. Both these findings clearly indicate there is much work to be done when it comes to achieving security culture and amongst the first challenges faced is understanding what security culture actually is.
Defining security culture is difficult as it is unique for each business. It is a representation of the overall vision, values, ideas, customs, and social behaviours of an organisation and these will all directly influence the security posture. Security leaders will need to dig deeper into the business psyche to then assess the security culture within the businesses various components which will help to build a strong foundation for security. This will involve security and business leadership, employee participation and perception, and communication and transparency. Because of this, there will always be varied and often different approach to achieving the right security culture, but it is pivotal for the success of a business and therefore requires a well-thought out roadmap giving clarity on the direction the CISO or head of security wants the business to go.
Learning to empower the workforce
We know security is a business priority for most especially given the number of cyberthreats breaching modern systems today. Having a strong security culture will not only help protect the organisation against past, present and future threats, but it also ensures the same goal of security is being promoted throughout. However, there’s a disconnect here as 92 per cent of security leaders confidently believe they have successfully rooted an effective security culture within their own organisations. How is this possible given that almost three-quarters of these security leaders have admitted security incidences have plagued their organisation in the past 12 months? The reason can likely be put down to investments and attention being directed in the wrong place.
In order to have an effective security culture, organisations must learn to empower the workforce with the necessary security knowledge and awareness to identify threats. This includes regularly updating staff on their cybersecurity responsibilities, tuning their security behaviours and online practises, and monitoring that the security policies that are in place are being followed by the entire enterprise. However, having employees buy-in to this ethos is the biggest challenge facing security leaders as staff may feel that security is not their responsibility or that learning about security is not conducive and impedes on their already busy work schedule.
To change this mindset, having a security advocacy program that is communicated from the boardroom level can help increase visibility and influence throughout the organisation and begin to create an effective human firewall. The program will champion the proper behaviours of employees and why they need to contribute to the security of the organisation.
Cybersecurity is more than an IT departmental issue
The modern cybercriminal is cunning, nefarious and advanced in the art of cyberwarfare. Their targets are the many, not the few, and they will unravel and exploit any sign of weakness; regardless if that’s aimed at the technology or the workforce. This is why the belief that security is solely an IT departmental issue is outdated and dangerous to the security of any business. Cybersecurity risks can impact all facets of an organisation so expecting a team of security or IT personnel – who are often understaffed and heavily strained - to manage the entire infrastructure, and the workforce that operate on it, is unrealistic.
They need support and companies need to create an environment where there is formal and ongoing collaboration with a range of business functions, not only IT, that focuses on improving both security and business performance. The program is not limited too but should include the following:
- Having a dedicated internal security committee that is responsible for sharing and creating security material as well as documenting relationships between security and business
- Defining the prime objective for the relationships which is to heighten security intelligence and collaborate further on joint initiatives
- Implementing both security and business performance success metrics to clearly show where improvements are being made and where further work is required
This can be channelled through the boardroom as well as marketed and communicated to stakeholders to help generate further support of the necessary change in attitude towards security.
With the number of threats forever mounting, the security landscape has never been more complex. Security leaders are doing their level-headed best to counter these with a number of initiatives, including cloud migration; Zero Trust architecture; technology upgrades; and insider threat, digital identity, and security awareness programs. While technology is involved in large parts for the majority of these initiatives, the human element is also a very key component that provides creativity, emotion, oversight and knowledge on how to keep these parts well-oiled and functioning.
Once a strong security culture is established, organisations will begin to see the positive effect this has on the overall business as it will breed confidence and trust with the customer base. Suffering a cyber-incident can have a detrimental effect on a business both, financially and reputationally, so an organisation being seen to do all it can to improve security culture and prevent a cyberattack, will only gain further customer approval.
Given the current predicament we all find ourselves in, and the change in working conditions, security leaders are confronting challenges many have never come across. By leading by example and having the organisation pull in the same direction, with a workforce aware of their security obligations and following a strong security culture philosophy, most will overcome this hurdle unscathed and, in doing so, so will their organisations.
Javvad Malik, security awareness advocate, KnowBe4