The culture of cybersecurity
“Technology and training are not enough to safeguard companies against today’s litany of cybersecurity attacks.”
— MIT Management
When you see or hear the term cybersecurity culture used, it’s usually something like, “We have to change our cybersecurity culture,” or “What is your cybersecurity culture?”
I’ve never really thought about it much, but I recently hosted a webinar for one of our Texas Banker ISAO sponsors, IronCore, INC. Their president, Andy Minneker, gave a presentation on “Cultivating a Culture of Best Practices” and it really got me thinking about our terminology.
How many times have you heard the term changing our culture? To me, it has somewhat of a negative connotation — usually used when something is not going as planned and you need to change the course. Especially in the financial services industry, I don’t think this is the right terminology. After all, we’ve been focusing on cybersecurity threats and risks for quite some time, whether it be from all the regulations or, more importantly, because it’s the right thing to do for our communities and customers. So maybe it’s time to think about it a little differently. Let’s cultivate our cybersecurity culture. Let me elaborate.
Cultivating has so many meanings, but to me, being raised in a farming community, “cultivating” has always meant to turn the soil over and start fresh for the new planting season. It didn’t mean we were changing anything, just that we were following a well-established process to ensure the best path to a successful crop.
Much like our cybersecurity cultures, we’ve reached a point where it’s more about improving our processes than changing them. As I stated earlier, we’ve got the right technology, our security budgets are healthy and leadership is engaged. So how do we improve or cultivate our cybersecurity culture? We start by empowering our people and getting everyone on the same page.
Our security culture requires care and feeding. It is not something that grows in a positive way organically. A sustainable security culture is bigger than just a single event. It’s more than just having the occasional phishing test or October security awareness month. When a security culture is sustainable, it transforms security from a one-time event into a lifecycle that generates security returns forever.
How many times have you heard the phrase “security is everyone’s responsibility?” I would guess almost everyone has heard this. But a better question to ask is “who is actually implementing this very basic principle?” No single person or group is responsible for the security of an organization. Everyone has a role, from the top down. Security may implement the technology, another department may build out the policies and procedures and the leadership is responsible for communicating the culture to the rest of the organization.
Make security fun and engaging. Security is usually associated with boring training or someone saying no all the time. Security can be so much more than boring PowerPoint presentations and videos. I was fortunate enough to work at a bank that was very innovative when it came to training. We had a “Game of Threats” event where we engaged with leadership and the board to participate. It was an interactive cyber breach simulation based on real-life cyber attacks and was designed to be a non-technical introduction to cybersecurity. It was so successful that we were asked to do it again and again.
To summarize, cultivating a cyber security culture in our organizations involves implementing long-term success across the entire organization, outlining your security goals, starting with board members and leadership and working your way down.