For organizations implementing or enhancing cyber-security policies, the type of culture and technology changes required to prevent attacks can be a sensitive issue. The ideal scenario is one of partnership – where employees understand the rationale for policy and act as additional eyes and ears for the company – creating a unified defense against would-be attackers. Here are some key considerations when it comes to creating a culture of cybersecurity.
Cybersecurity Starts at the Board Level
The best-intentioned cybersecurity plans and policies can go awry if senior leaders aren’t all-in. The good news is that cybersecurity is now front and center in the boardroom. Senior leaders see the reports of data leaks, breaches and hackers and want to know how to prevent similar attacks at their own companies, so there is less ‘buy-in’ required. What ends up being debated is just how much security is ‘enough.’
The key to getting agreement from senior leadership is transparency. Senior leaders in an organization may be removed from the day-to-day challenges of fighting cyber-security attacks. Show them what happens on any given day and the data will speak volumes. It’s important to determine where your company is on the cybersecurity spectrum – and more importantly, where you company wants to be. If, for example, the spectrum of least-to-most secure runs on a 1-10 scale and your company is a two but would like to get to a four, you can set your strategy accordingly. Investments (i.e., budget) aligns to strategy. There is a cybersecurity maturity curve for every company and setting a desired point on a scale will help anchor and direct your company.
There’s also an element of risk tolerance – think of cybersecurity like personal insurance. If you ask 500 people how much insurance they think they need, you’ll get 500 different answers. Different people have different levels of risk tolerance – it is the same for businesses. Of course, heavily regulated industries like banking will have very little risk tolerance, but this is not the case across the entirety of the industry.
Avoid Pitfalls & Make Cybersecurity Real
There are really two sides to rolling out a cybersecurity strategy: the technical side and the cultural side. The technical side involves ensuring your network, and the devices that interact with that network, are secure.
What’s often missed is the cultural side. People can be resistant to change, and this carries over to our working lives. It’s interesting – sometimes the newest employees are the least resistant to change as they don’t have ingrained habits and expectations. Even with carefully paced out changes, some key culture decisions will be met with resistance. On the flipside, there are some, whether in IT or management, that would prefer to simply flip a switch in order to enact policy, but in my experience, I’ve found that the least effective way to change a culture is to merely declare policy – it leads to resistance and in some cases non-compliance. Rather, communication and connecting changes back to what employees do in their day-to-day roles is key.
Cybersecurity and securing an organization does not happen in a vacuum. Policy decisions that are made in the boardroom will have an impact on people’s day-to-day work. Employees are individuals and in a company of 1,000 you’ll have 1,000 individuals who work in 1,000 different ways – every person will have a unique role or a unique way in which they approach their role. This makes it hard to scale a one-size-fits-all policy.
Training and education can be useful when rolling out a cybersecurity program. But there are limitations. For example, despite all the training and horror stories, there will always be a certain percentage of people who will click on a phishing email. A better path may be to look at educating employees on the rationale for a policy – helping them understand the ‘why’ of any given policy.
Communication is Key
If your company has been spared a major attack, now is the time to consider (or reconsider) your cybersecurity policy – don’t wait for a forcing factor such as a breach to have to figure it out. It’s all about communication: at the board level, the need for cybersecurity should be laid out with facts and data, aligned to the overall company strategy, as well as where your organization falls on the cybersecurity maturity curve. For employees, it comes down to good change management in the form of training and communication around policy initiatives.