Cyber CEO: 3 Tips For Developing a Culture of Security-Driven Business

June 24, 2021

Last month I discussed the importance of gaining board and executive-level buy-in to build a strong cybersecurity program. But it shouldn’t just stop there! I’ve said it before and I’ll say it again – your business must take an integrated, full team approach to infosec. The past 18 months have proven that any person in an organization can be the vulnerability that leads to a disastrous attack – no matter how technical or how close they are to the company’s crown jewels.  

Throughout the cybersecurity strategy journey – from development to implementation, it’s important to keep your entire team in mind. What are the best practices that everyone should learn? How will a breach affect each department? Who is accessing critical assets and what protocols should they be following? The simple fact is, lack of awareness - for any number of reasons like lack of training, burnout, or multi-tasking - creates security risk.  

I’ve spoken extensively about why the move back to the office will be a huge feat for cybersecurity professionals and setting up a secure hybrid workforce will be the same. The sheer number of endpoints that need to be identified and secured properly is enough to make anyone’s head spin!  

Now is the time to work smarter, not harder. That starts with ensuring that you implement effective controls first, and then educate everyone on your team (regardless of if they are in a technical role or not) about cybersecurity and what they can do to protect themselves and your enterprise.  

A recent study found that 88% of cyber breaches are due to human error. Statistics like this contribute to the common view that people are your enterprise’s “weakest link.” I’d like to argue that often, our employees – particularly those who are not involved with IT or more technical roles - are simply not set up for success when it comes to cybersecurity.  

Imagine what would happen if we were to shift our perspective and start thinking of our people as one of the greatest cybersecurity assets.  

As cybersecurity leaders, what can we do to enable our team and develop a culture of security-driven business? Here are my top 3 tips.  

Stop Using Scare Tactics 

Researchers have found that leading with fear when it comes to cybersecurity is not as effective as most people think. Only communicating the terrible things that happen when your team doesn’t follow cybersecurity best practices can lead to anxiety and the inability to think clearly when dealing with high-pressure situations. And what’s worse - this approach has shown to make employees less likely to report cybersecurity incidents when they occur for fear of getting into trouble.  

Instead of being fearful of the consequences of a breach, you want your team to be invested in the cybersecurity of your organization. Providing support and easily accessible channels to inform themselves and to carry out cybersecurity best practices is key. Nurture a culture of trust and open communication where your team feels supported in asking questions and making measured decisions when they see suspicious activity.   

Provide the Right Resources 

Along with creating an open and empowered atmosphere, it’s important to make sure your team has access to resources that help them make informed decisions about cybersecurity. This doesn’t just mean hosting training sessions – which are still a great tool! Take it a step further by having materials that are always available for your team to access when they’re unsure of how to move forward. This could be a person in each department who is dedicated to cybersecurity and can answer their colleague’s questions, recorded video tutorials, or written FAQs. Make it as easy as possible for your team to know what to do when faced with potential cybersecurity threats. 

Develop a Program that Balances User Experience and Security 

Something I’ve learned in the many years I’ve been in this industry is that purely technical tactics and human nature often don’t mesh. You can have the greatest technologies, tools, and methods, but if the people in your enterprise can’t figure them out, they’re essentially useless! What we’re seeing in our most successful client environments is a cybersecurity program that keeps human user experience (UX) top of mind. Cybersecurity can feel inconvenient and cumbersome - but finding the right balance between security protocols and removing unnecessary barriers for your team can make a huge difference. As noted by many IT professionals – the best and most innovative cybersecurity tools won’t be the ones with a load of features or the best performance stats, they’ll be the ones that are the most intuitive and easy to use.  

Don’t just take my word for it. Talk to your team! And not just the IT folks. Engage every department and level of your organization. Find out what would work best for them and how to maximize the potential of your security program based on their abilities and habits. One of the best ways to do this is to involve them in the process from the get-go. Not only will you nurture investment in cybersecurity, but you’ll have rich data to better develop your integrated and holistic cybersecurity strategy. 

Cybersecurity is a team effort – full stop. It’s time to throw away old notions of viewing people as a part of the problem – as we’ve seen, with the right controls and when properly educated and supported, they’re part of the solution!  

 

To Your Success, 

 

Subscribe below for new issues of Cyber CEO, timely Threat Advisories, and Herjavec Group Thought Leadership