GUEST ESSAY — The rationale for pursuing a culture of cybersecurity– and a roadmap to get there

By Matthew T. Carr

Organizations with strong cybersecurity cultures experience fewer cyberattacks and recover faster than others.

Related: Deploying human sensors

This results from emulating the culture building approaches of high-risk industries like construction that devote sustained attention to embedding safety throughout the organization.

For most organizations, building a cybersecurity culture is a necessary evil rather than a cherished goal. Prioritizing security means desirable cultural norms like openness, trust building, creativity, efficiency, and risk-taking might suffer.

Until a decade ago few organizations needed a cyber security culture. If the security industry catches up with adversaries, then the need for a cybersecurity culture will eventually fade away. Few will miss it.

Cybersecurity culture is a subset of the overall corporate culture. It harnesses beliefs and values to promote secure behaviors by employees in everyday work activities.

Model culture

Cybersecurity culture is necessary today because routine actions such as opening emails, responding to customer requests and using productivity software can put the organization at risk for ransomware and data breaches.

Inherently dangerous industries like construction provide a good model for culture building. Top performers know that systematically building and enforcing a culture of safety among all employees leads to success. This experience can be translated to the cyber realm.

Leading construction firms take an aggressive approach to creating a culture of safety:

•They make safety the organization’s number one priority. Management makes decisions that favor safety over other priorities such as cost, speed, and flexibility. That only happens with a real commitment from the top.

•Ongoing training ensures employees can confidently perform the safety roles assigned to them. Time and money for training is another tangible example of a company’s seriousness.

•Managers ensure that employees are involved and committed by building safety into everyday routines and guarding against cynicism and noncompliance.

•Reward and punishment are used to translate the safety priority into consequences. Bonuses are awarded for going above and beyond. Those that fail to perform after constructive feedback are written up or terminated.

Few organizations are ready to make cybersecurity their top priority the way construction makes safety number one and it would be a shame if they had to do so. But sometimes there are ways to avoid the tradeoff, such as by designing new processes that are simultaneously more secure and efficient.

Cultural norms

The emphasis on building a cybersecurity culture can provide a convenient excuse to blame employees for security issues that don’t belong on their shoulders. A widely cited study concludes that close to 90 percent of data breaches are caused by employee error. But blaming end users makes matters worse. Employees feel ashamed and culpable, and may be less likely to report a problem when they see it for fear of being blamed.

Cybersecurity culture should not expect employees to be the main line of defense for an organization’s systems. What cultural norms are reasonable?

•Employees should be honest about security concerns and not feel shame when they click a link they should have avoided. The culture should encourage and reward transparent reporting.

•It is reasonable to expect employees to understand and follow the incident reporting.

•Employees should know who is responsible for information and operational security.

•Employees should be trained in and understand privacy laws and policies including GDPR and US privacy laws from California and other states where they do business.

Amusement park analogy

It is an open question about whether frontline and non-technical employees should need a cybersecurity culture at all. Consider an amusement park with a variety of thrilling but potentially dangerous rides like roller coasters.

Safety is built into the rides themselves. If there’s a power failure and a ride gets stuck with guests hanging upside down they should still be ok as long as the amusement park employees follow basic procedures like checking to make sure everyone is bolted in. All we expect of park visitors is that they don’t do something truly reckless like wriggling out of their seatbelts or standing up in tunnels.

Ideally, cybersecurity should work the same way. Let hardware and software makers build in security by design, cybersecurity staff make sure vulnerability scanning tools are deployed securely, and regular workers experience the thrill of their jobs or at least the mundane experience of safely traveling throughout their day.

About the essayist: Matthew T. Carr is co-founder and head of research and technology at Atumcell, which provides cyber security software and services for private equity firms and their portfolio companies. He is an award-winning cyber security researcher, inventor and penetration tester who helps organizations solve thorny security and privacy problems.

March 27th, 2023