cybersecurity culture

Don’t Underestimate Culture

Despite a growing investment in cybersecurity, there lies a frequently overlooked issue: even the best technology and most efficient services are rendered relatively ineffective without a culture that supports the cybersecurity program. “It’s a make or break issue,” points out Dawn-Marie Hutchinson, executive director in the office of the CISO for security consulting and integration firm Optiv. Adds Lucas Moody, chief information security officer (CISO) at Palo Alto Networks: “Culture is among the most overlooked aspects of cybersecurity.”

An organization’s employees can truly be considered the ‘x-factor’ in achieving security best practice results. Depending on their willingness to follow procedures, adapt to changes, and absorb information delivered through training and professional development, a security initiative will either succeed or stumble. “A sound strategic framework with the right technologies, processes and culture greatly reduce risk,” states Kevin Richards, managing director, North America Security Practice and global lead for security, strategy and risk at Accenture Security.

Counter Culture

It’s tempting to think about cybersecurity primarily in terms of products and solutions. Conventional thinking revolves around the idea that an antivirus program can detect and block malware, a firewall can block unauthorized users, and a blacklist can prevent known phishing sites from breaching an enterprise. However, cybersecurity isn’t just a technology game; people and processes are essential pieces to the puzzle.

Unfortunately, the culture of many organizations does not support best practices. Too often, employees lack a basic understanding of cybersecurity threats and how their actions and behaviors can impact an organization. In other cases, employees do not follow established protocols or the policies and procedures established by the organization are too complicated or unwieldy.

“There is an all too prevalent attitude among CSOs and other executives that employees are somewhat ignorant when it comes to cybersecurity,” Hutchinson states. “The reality is that most people are very good at what they do, and they work very hard to do the best job possible for their company. A good starting point for cybersecurity is to acknowledge that constantly berating and belittling employees doesn’t help.” Part of the problem, she argues, is that CSOs and CISOs are sometimes too focused on delivering solutions and meeting specific operational metrics. They overlook the cultural component.

But the problems don’t stop there. Many organizations provide minimal training and there’s also a tendency to develop controls that are too onerous. As a result, employees adopt shadow technology or find ways to circumvent systems so that they can get their work completed. For instance, an overly cumbersome password framework may prompt employees to write down passwords on a piece of paper or repeatedly call the help desk to reset a password they can’t recall. “If you have a policy that requires people to reset their password every 90 days and it’s 12 or 14 characters with symbols–and they wind up writing it down–you’re actually making their lives difficult and weakening security,” Hutchinson says.

A better approach, Hutchinson says, is requiring a password reset once or twice a year, requiring multi-factor authentication for sensitive logins and questionable circumstances, and using other security procedures and controls to better manage accounts and data on an everyday basis. It’s also wise to avoid “outing” or “shaming” people who make mistakes or fail to follow a procedure or protocol. “You don’t want to become the department of ‘no,’ and you don’t want to embarrass or frustrate people. You want to allow everyone to do their jobs in the most security-focused way possible while protecting your data and crown jewels,” Hutchinson explains.

A Better Way

Establishing a culture that supports security and does what it can to embrace measures revolves around a number of important factors. First, there’s a need to prioritize education and training. “Employees can’t be security experts if they don’t understand the fundamental problems and challenges,” Hutchinson says. It’s important to tie learning to current risks and security methods, make it easily understandable and deliver it in quick and effective doses. “Oftentimes, organizations trip themselves up because learning metrics are based on click-throughs rather than gaining actual knowledge–the system rewards the wrong behavior,” Hutchinson explains.

A better approach, Hutchinson says, is to create incentives for employees to report suspicious e-mails or follow well-designed security procedures. At the same time, CSOs and other business and security leaders can benefit from deep and granular metrics that deliver insights into what people are doing right and wrong. “This provides guidance about how to create incentives for employees and which people are repeat offenders,” she says. The organization can then recognize the positive behavior and trends–perhaps with a brief celebration that features food and drink–while quietly dealing with the people who are unable or unwilling to comply with policies. In a worst-case scenario, this may involve termination.

A critical best practice, Hutchinson says, is making it easy to report problems and establishing bounties and rewards for submitting malicious e-mails or identifying other threats. This can be as simple as adding a one-click link to an e-mail application or including a link at an internal web site that allows employees to ask questions, discuss threats, submit suggestions, or send along suspicious activity, including questionable documents and files.

Another best practice is establishing a leadership model that promotes cybersecurity and works to align goals and initiatives. “Executives need to be able to speak about security in the language of business. Executives must learn about security and understand enterprise risk at a fundamental level,” Hutchinson argues. “It’s completely unacceptable for executives to take the position that it’s not their primary concern or responsibility to deal with cybersecurity. It’s like claiming that there’s no need to thoroughly understand the balance sheet and the numbers.” Adds Richards “Today, every person working in an enterprise requires some understanding of cybersecurity and data protection.”

In the end, when organizations get the equation right–through solid training, sound reporting and leadership–the results can be transformative. Says Richards: “A culture that is focused on cybersecurity and has the right knowledge has an advantage.”