Want to know the secret? We have spent a long time getting our cybersecurity culture completely wrong! Over the past 20 years, we have become accustomed to using technology to protect technology. But we have done a poor job of using technology to protect people. Given that humans are the primary attack vector, there is a clear rationale for solving the human problem, and it starts with breathing new life into an aging cybersecurity culture.
Getting the human factor right is key to building a resilient and strong cybersecurity posture. It should come as no surprise that routine human error is a major factor in breaches and can undermine the most resilient workplace cybersecurity measures. In a rapidly evolving hybrid world where the human element is involved in 80% of breaches, we need to completely rethink and reconfigure how we lead cybersecurity change and drive a strong cybersecurity culture across the workplace. there is no.
Ultimately, the stronger the security culture, the more likely people are to act in a safe way and demonstrate safe behavior. The bottom line is that if you want your employees to exhibit safe behavior, you must lay the groundwork by creating an environment for that behavior to thrive.
Understand security culture and how to build it
Culture is built and shaped by what people think. It is essentially about people’s common attitudes, perceptions and beliefs. A cybersecurity culture is underpinned by these key principles. The driving force behind this forward-looking cybersecurity culture is some of what we, as humans, value most. Basically, people won’t like the cybersecurity lessons you’re trying to teach if your organization’s security is too authoritative, inaccessible, or proactively engaging with your employees. is widely criticized as the weakest link in the cybersecurity chain, but telling people that everything is wrong doesn’t solve anything. We need to educate and build a cyber culture that reaches everyone at every level of the workforce.
It is no surprise that even the best management programs can collapse if they are not supported by a strong, positive culture. Negative culture is often the root cause of vulnerability management program failure. Security operations fail when teams and work cultures are not positive, collaborative, and unable to produce good results. The point is, no matter how important your security goals are, if your employees believe you have a toxic security culture, that goal is doomed to fail. Terms that often come up when describing this type of poor culture include “punitive,” “vague,” and “fear-focused.” How do you take your employees on their cybersecurity journey when they have this kind of problem?
Golden Rule: What Should I Do?
1. Culture starts with the security team. If people find it easy to follow your policies and supportive, you’re off to a great start!
Self-awareness plays a key role in this effort. Security teams need to be able to hold a mirror in front of them and ask themselves, “Am I going to accept what I see here?” This is a move that requires understanding what people think of security teams. It may seem daunting to ask employees what they think of their cybersecurity team, but to do a cyber-her culture health check and understand what needs quick improvement , there is no better way. To get started, you can focus on these key performance indicators.
Ask yourself:
– Do people feel safe reporting incidents, even those they might have been responsible for?
– Is the security team regularly contacted by employees, including requests for briefings?
– Did the message arrive? If not, why? Too technical, too vague, or unfamiliar?
As you try to steer your organization’s security course, remember that emotions are very important. It’s important to foster an open dialogue where employees feel free to share their thoughts and feelings on everything from security teams to policies to training opportunities.
2. Do’s, not Don’ts
Success lies in motivating employees and enabling security. It is not done by technical magic, but by understanding people. Look to simple behavioral architectures to see if you can inspire people to do what you want them to do, without them even realizing it. As experts in what we do, we can be guilty of giving ourselves cognitive overload. How about we simplify this by spelling it out? In cybersecurity, it’s impossible to tell people everything they shouldn’t do because the list of things you shouldn’t do is endless. Instead, make it easy for everyone and tell your employees 5 things to do. Wouldn’t it be better to take five simple actions than ignore a list of 20 things you shouldn’t do?
3. Keep it simple
When communicating cybersecurity instructions, be concise. For example, if you’re rolling out a new password manager, do you think people will take the time to crack technical jargon? Do you want it? That’s a resounding no. Why not be a good guy and tell people how much time this new solution can save them and how much easier his day will be if you follow a few simple instructions? Writing for the masses isn’t your forte, no problem. Take the time to connect with HR or your internal communications team to help communicate your vision in non-technical language. To be effective, writing should always be from the perspective of people, not security teams. Communication doesn’t have to be boring and corporate. Put your instructions in something like a cartoon and there will be more people who want to absorb what you have to say!
road ahead
Today, cybersecurity leadership is no longer just about technology. Ultimately it is about organizational change. It will change not only how people think about cybersecurity, but also what they prioritize and how they act, from the board to all other levels of the organization.
Leveraging the latest real-world lessons and organizational transformation models to build, manage and measure a strong cybersecurity culture is now a top business priority. For security professionals, it’s important to see their job role as people’s managers who help change people’s behavior and business goals. Ultimately, managing human risk is why we all do security.
Lance Spitzner is a Senior Instructor at Sans Institute.
Read: Why you should bet on cybersecurity
Comments
Post a Comment