5 key points to drive culture change around cyber security
Culture and governance are key to drive change around cyber security behaviours, but too many awareness programmes focus simply on superficial technical gimmicks. Let’s start by deconstructing 3 clichés which have been dominating the security awareness arena for the past decade.
Cliché #1 – Cyber Security is Everybody’s Responsibility
At face value, this is truly a very dangerous argument to manipulate. To answer it using another cliché, there is a fine line between something being everybody’s responsibility, and the same thing becoming nobody’s responsibility.
The key here is to acknowledge that while each employee may have a role to play in securing the firm’s assets, those roles do vary from function to function, and failure to communicate with each staff member in meaningful ways in the context of their own job will simply not work: Telling HR staff who receive CVs by email everyday not to open attachments is a waste of time.
Also, it is essential to acknowledge that the level of engagement of each employee around cyber security will depend entirely on the level of engagement the employee has with the firm, its culture and its values. It is a natural instinct to protect what you care about. Conversely, it can be a hard job to convince disengaged staff, or staff who see senior management constantly allowed to skip the rules, while they have to adhere to stricter measures.
So it may well be that in some form “Cyber Security is Everyone’s Responsibility”, but the message cannot be generic and has to be structured appropriately. In addition, the example has to come from the top and must be relayed without exception by all middle-management layers for the message of good practice to work through the fabric of the firm.
That’s often the most common flaw of many cyber security awareness campaigns: They are owned by the cyber security team and structured horizontally towards all staff, instead of being owned by a board member and structured to cascade vertically through line management. Ownership for Cyber Security has to start at the top. Period. One board member should be visibly in charge, and part of their compensation package should ride on it, as we advocated in an earlier article.
HR management should be involved as well, and they have a key role to play: Specific key responsibilities and accountabilities around cyber security should be distributed across staff members and articulated formally in role descriptions. Staff should be incentivised through compensation and by middle-management to address those aspects of their roles as an integral part of their job, not as a piece of meaningless management jargon.
Readers may think this is just idealistic and cannot work in most firms, because those layers of management simply would not be interested or would not understand cyber security sufficiently to articulate a meaningful vision around it.
They may well be right in many cases, but it is also the role of the CISO to stimulate, structure and support that type of engagement.
Of course, firms looking to engage in that type of top-down approach to cyber security awareness development will need to have the right CISO in terms of personal profile, personal gravitas and management experience, or may need to evolve their security organisation to bring in a broader CSO role.
Those necessary exchanges between the security leadership team and senior management will constitute a fundamental awareness programme just by themselves, but any security awareness development campaign can only be truly successful with a visible and credible board member as a figurehead.
If senior management – including HR management – or middle-management are not prepared to engage in a meaningful manner with the fundamental aspects of security good practice, any message anybody may try to drive towards the staff could simply prove to be an expensive waste of money.
Cliché #2 – People are the Weakest Link
They may well be, but the key is to understand why and how in the context of each firm, before jumping to ready-made solutions, in particular with tech vendors.
It has to start from a sound examination of the threats each business is facing. The insider threat may well be a widespread high-ranking business threat in financial services, not so much maybe in logistics or retail.
Of course, in all firms there will be people who have access to sensitive business information and may be tempted or coerced in certain circumstances to leak it out. But the key here is to understand and address their potential motivations in doing so.
Those motivations – quite often – will be rooted in corporate culture, management styles and governance problems. As many areas you are not likely to address through a “traditional” tech-focused cyber security awareness programme…
It is worth repeating this one more time: Staff will protect the firm with a natural instinct, if they care about it and share its values and its purpose – economically, and increasingly socially as well.
If that sense of care is not there, if the corporate or management culture is toxic, if employees don’t have a sense that they know where the business is going, either because it is not well managed, or because its industry sector at large is not doing well, a broader communication initiative addressing staff disengagement is required and specialised or siloed awareness programmes focusing simply on cyber security are not likely to succeed.
The key will be to bring staff onboard with a valid corporate purpose they can understand and endorse. The need to protect the firm in general as well as its information assets could be one aspect but immersed into a broader campaign aimed at developing a real sense of belonging with employees.
Here again, HR, corporate communications and senior management at large have a key role to play. One senior executive must visibly own and drive the initiative. Once again, this cannot be siloed and left to the CISO and their team.
Cliché #3 – This is all about “Awareness”
How can it be that some firms – and their CISOs – still believe that their staff – apparently – do not KNOW what to do to protect their organisation from cyber threats?
Many people – at individual level – have experienced fraud attempts or virus attacks; data breaches and cyber-attacks are constantly in the news, and many online platforms and service providers have strengthened considerably various of their security measures, for example around multi-factor authentication; increasingly, people are getting used to those additional layers of security in their everyday life.
More importantly, security good practices have been well established for 2 decades and have not evolved that much: “Don’t write down your password” meant the same 10 or 20 years ago…
And large firms have spent collectively hundreds of millions across the last 2 decades on so called “security awareness” programmes, not to mention governments and their agencies.
So where did it go wrong with those programmes?
The problem is that most of those – over time – have focused too much on making sure people simply KNOW what to do around security, and not so much in giving them incentives to ACT on it, or dealing with the roadblocks preventing staff from enacting good practice.
Just “knowing” what to do to protect your organisation is simply not enough; only the right actions and behaviours can protect the business, so “awareness” by itself is never going to be sufficient without incentives to act and – where necessary – culture change.
In addition, as detailed above, many of those programmes have often fallen short of expectations by being too generic and not rooted in the right cultural context.
Fake phishing campaigns are a good example of where it goes wrong: They have been all the rage for the past few years but often they contribute to the build-up of a “nasty” culture around cyber security: Employees feel tricked and embarrassed, and those are not emotions which are likely to build a favourable ground in which to root good security practices.
Sending random emails, forcing people to follow online training programmes, putting up posters or distributing mouse-mats may well put ticks in compliance boxes but what does that achieve in real life?
Success criteria (“What-Good-Looks-Like”) remain vague, qualitative or anecdotal in many campaigns (for those that are not designed as a pure box-checking exercise to address some cheap audit point)
That shouldn’t be the case, and as a matter of fact, the issue of metrics should be central to any cyber security awareness programme and built in from the start.
But it is a really difficult topic, which is why it is frequently side-stepped.
The only way to address this is a meaningful manner – for firms large enough to do this – is to fall back on traditional marketing and polling methods:
- Build representative panels of employees across the firm
- Measure their level of “security awareness” through questionnaires and interviews, in a structured way prior to launching the campaign
- Design the campaign to be centred on key findings highlighted by panels and interviews, and deploy it
- Measure levels of security awareness again and compare
Of course, as well as difficult, this may be expensive, and priced-in from the start, it may well push any programme out of an acceptable budgetary bracket.
But cutting out the metrics aspects – on grounds of costs – from a cyber security awareness programme should bring out a real management question to address: Is it worth spending large amounts on an initiative of that nature, knowing and accepting from the start that you won’t be able to measure its success quantitatively?
5 key points to build a successful cyber security culture change programme
In summary:
- A board member must visibly own the campaign and act as a figurehead, with the involvement of HR, corporate communications and the cyber security team: It can only work top-down. Accountabilities and responsibilities around cyber security must be clear.
- Stay clear of empirical and ready-made solutions: Start with focus groups, questionnaires and interviews and measure upfront levels of staff security maturity and engagement with corporate values.
- Centre your campaign on the findings of the initial survey and define success metrics from the start based on measured maturity levels: Your scope may need to be much broader than just cyber security to deliver on staff engagement if initial levels are low.
- Make the messages specific, achievable and rooted in the real life of each team, driven by line management, NOT the CISO and their team
- Build incentives for staff to ACT: It cannot be just about TELLING people what to do
Two is company three is a crowd.
Sing before breakfast cry before night.
Give a dog a bad name and hang him.
Pretty great post. I simply stumbled upon your weblog and wanted to mention that I
have really enjoyed surfing around your weblog posts.
In any case I will be subscribing on your rss
feed and I am hoping you write again soon!
Hi I am so happy I found your website, I really found you by accident, while I was browsing
on Digg for something else, Regardless I am here now and would just
like to say kudos for a incredible post and a all round thrilling blog (I also love the theme/design), I don’t have time to
look over it all at the moment but I have bookmarked it and also added
in your RSS feeds, so when I have time I will be back to read much more,
Please do keep up the awesome work.
What’s Going down i’m new to this, I stumbled upon this
I have discovered It positively helpful and it has helped me out loads.
I am hoping to contribute & aid different users like its helped me.
Great job.
Hi, Neat post. There is an issue along with your web site in web explorer,
would test this? IE nonetheless is the marketplace
chief and a big portion of people will miss your
great writing due to this problem.
I do agree with all the concepts you’ve introduced for your post.
They are very convincing and can certainly work. Nonetheless, the
posts are very short for beginners. May just you please prolong them a bit from next time?
Thank you for the post.
What’s up, all the time i used to check blog posts here early in the daylight, since i love to find out more and more.
Hey There. I discovered your weblog the usage of msn. This is a
really smartly written article. I’ll be sure to bookmark it and return to read extra of your helpful information. Thank
you for the post. I’ll certainly return.
Why users still make use of to read news papers when in this technological world all is
existing on net?
Hello there! This is kind of off topic but I need some guidance from an established blog.
Is it hard to set up your own blog? I’m not very techincal but I can figure
things out pretty fast. I’m thinking about setting up my own but I’m not sure where to begin.
Do you have any points or suggestions? Appreciate it
I like the valuable info you supply on your articles.
I’ll bookmark your weblog and test again here frequently.
I’m slightly certain I’ll learn many new stuff right
right here! Good luck for the next! asmr https://app.gumroad.com/asmr2021/p/best-asmr-online asmr
Greetings! I’ve been following your web site for a while
now and finally got the courage to go ahead and give you a shout out from Dallas Texas!
Just wanted to mention keep up the excellent work! quest bars http://bitly.com/3jZgEA2 quest bars
Howdy are using WordPress for your blog platform?
I’m new to the blog world but I’m trying to get started
and set up my own. Do you need any html coding expertise to make your own blog?
Any help would be greatly appreciated! cheap flights http://1704milesapart.tumblr.com/ cheap flights
This information is priceless. When can I find out more?
scoliosis surgery https://0401mm.tumblr.com/ scoliosis surgery
It’s awesome designed for me to have a web site,
which is useful for my experience. thanks admin ps4 games https://bitly.com/3z5HwTp ps4
Hey there, You have done an excellent job. I will definitely digg
it and personally recommend to my friends. I am sure they’ll be benefited from this website.
quest bars https://www.iherb.com/search?kw=quest%20bars quest bars
Great blog here! Also your site rather a lot up very fast!
What host are you using? Can I get your associate hyperlink in your host?
I want my website loaded up as fast as yours lol scoliosis surgery https://coub.com/stories/962966-scoliosis-surgery scoliosis surgery
http://www.uvstechnologies.com/2018/11/30/hello-world/
http://www.puraartefirenze.com/prodotti/mediterraneo/mediterraneo-conditioner/
An outstanding share! I’ve just forwarded this onto a co-worker who was conducting a little homework on this. And he in fact ordered me lunch due to the fact that I stumbled upon it for him… lol. So let me reword this…. Thank YOU for the meal!! But yeah, thanx for spending time to discuss this issue here on your site.|
Have you ever thought about including a little bit more than just your articles? I mean, what you say is fundamental and all. Nevertheless just imagine if you added some great images or videos to give your posts more, “pop”! Your content is excellent but with images and video clips, this blog could certainly be one of the best in its field. Fantastic blog!|
Do you have a spam problem on this site; I also am a blogger, and I was wondering your situation; we have created some nice practices and we are looking to trade techniques with other folks, please shoot me an e-mail if interested.|
Thanks a bunch for sharing this with all of us you
really know what you are talking approximately! Bookmarked.
Please also visit my website =). We can have a link alternate agreement between us
Ahaa, its pleasant discussion about this piece of writing at this place at this weblog, I have read all that, so at this time me also commenting here.|
Nice post. I was checking constantly this blog and I’m impressed! Extremely useful info particularly the last part 🙂 I care for such info much. I was seeking this particular information for a very long time. Thank you and good luck.|
With havin so much content do you ever run into any
problems of plagorism or copyright infringement? My website has a
lot of completely unique content I’ve either authored myself
or outsourced but it looks like a lot of it is popping it up all over the internet without my
permission. Do you know any solutions to help
prevent content from being ripped off? I’d genuinely appreciate it.
Hi, I would like to subscribe for this blog to get hottest updates, thus where can i do it please assist.|
Nice post. I used to be checking continuously this weblog and I’m impressed! Extremely useful info specifically the last section 🙂 I handle such info a lot. I used to be looking for this certain information for a very lengthy time. Thanks and best of luck. |
It’s very effortless to find out any matter on net as compared to books, as I found this post at this website.|
It’s going to be ending of mine day, but before end I am reading this impressive piece of writing to improve my experience.|
Hi, after reading this remarkable paragraph i am as well cheerful to share my knowledge here with friends.|
I loved as much as you’ll receive carried out right here. The sketch is attractive, your authored material stylish. nonetheless, you command get got an impatience over that you wish be delivering the following. unwell unquestionably come more formerly again since exactly the same nearly a lot often inside case you shield this increase.|
Hello mates, how is everything, and what you would like to say concerning this paragraph, in my view its genuinely amazing designed for me.|
In business partnerships and marriage partnerships oh the cheating that goes on.
I enjoy what you guys are usually up too. This kind of clever work and coverage!
Keep up the awesome works guys I’ve included you guys to my personal blogroll.
I’m really impressed with your writing skills as well as with the layout on your weblog. Is this a paid theme or did you modify it yourself? Anyway keep up the excellent quality writing, it is rare to see a nice blog like this one these days.|
Hello every one, here every person is sharing these familiarity, thus it’s good to read this web site, and I used to go to see this web site all the time.|
I think everything composed made a ton of sense. But, think about this, what if you added a little information? I am not saying your content isn’t good, but suppose you added something to maybe get a person’s attention? I mean BLOG_TITLE is a little vanilla. You ought to peek at Yahoo’s front page and see how they create post headlines to get viewers to open the links. You might add a video or a related pic or two to get people interested about everything’ve got to say. Just my opinion, it could make your website a little livelier.|
Hey very interesting blog!|
Hi! I realize this is somewhat off-topic however I had to ask. Does building a well-established website like yours take a massive amount work? I am brand new to running a blog but I do write in my diary every day. I’d like to start a blog so I can easily share my personal experience and views online. Please let me know if you have any recommendations or tips for brand new aspiring bloggers. Thankyou!|
If some one desires expert view concerning running a blog afterward i recommend him/her to pay a visit this website, Keep up the pleasant job.|
Have you ever considered writing an e-book or guest authoring on other sites? I have a blog based on the same information you discuss and would really like to have you share some stories/information. I know my subscribers would appreciate your work. If you are even remotely interested, feel free to send me an e-mail.|
It’s amazing designed for me to have a web site, which is good in support of my experience. thanks admin|
Wonderful work! That is the kind of info that are supposed to be shared around the web. Shame on the search engines for now not positioning this submit higher! Come on over and visit my website . Thanks =)|
Hi there, You have done an excellent job. I will definitely digg it and in my view suggest to my friends. I am confident they’ll be benefited from this website.|
We’re a group of volunteers and opening a new scheme in our community. Your web site provided us with valuable info to work on. You’ve done a formidable job and our entire community will be grateful to you.|
Hi, this weekend is pleasant designed for me, for the reason that this occasion i am reading this impressive educational piece of writing here at my house.|
I want to to thank you for this great read!! I absolutely loved every bit of it. I’ve got you book marked to check out new stuff you post…|
Peculiar article, totally what I wanted to find.|
Hey there! Would you mind if I share your blog with my twitter group? There’s a lot of folks that I think would really enjoy your content. Please let me know. Thanks|
Your method of telling the whole thing in this paragraph is genuinely good, all be capable of easily understand it, Thanks a lot.|
I believe that is one of the such a lot significant info for me. And i am glad reading your article. However want to commentary on few normal issues, The website style is ideal, the articles is in reality great : D. Good job, cheers|
I’d like to find out more? I’d want to find out some additional information.|
Thanks a lot for sharing this with all folks you really recognize what you’re talking approximately! Bookmarked. Please additionally consult with my web site =). We can have a hyperlink change contract between us|
Hey would you mind sharing which blog platform you’re using? I’m going to start my own blog soon but I’m having a tough time making a decision between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your layout seems different then most blogs and I’m looking for something unique. P.S My apologies for being off-topic but I had to ask!|
It’s the best time to make some plans for the future and it’s time to be
happy. I have learn this post and if I may I desire to suggest you some interesting things or tips.
Perhaps you could write next articles regarding this article.
I wish to read more issues about it!
{
Hi mates, fastidious article and good arguments commented here, I am in fact enjoying by these.|
I like the valuable information you provide in your articles.
I’ll bookmark your blog and check again here frequently.
I am quite sure I will learn plenty of new stuff right here!
Best of luck for the next!