Cyber security culture is a collective effort

Many believe that cyber security culture starts from the top and works its way down. While there is merit to this statement, I would argue that all stakeholders in the ecosystem create cultures collectively.

Cyber security involves many different technical and informational solutions that must be adopted and implemented to position an organization for the greatest chance of resiliency in a complex threat landscape. Technology is necessary in addressing cyber threats but it cannot work independent of complementary factors such as policy guidelines, information sharing on threats, and user awareness.

Indeed, developing a cyber security culture achieves two important objectives: 1) it intertwines security practices with business operations in order to improve an organization’s security posture, and 2) it demonstrates that security is not a function relegated to an understaffed and underfunded IT department.

Establishing a cyber security culture advocates the need that everyone – including executive leadership and management – has an equal part in cyber security, which is essential for bolstering an organization’s resiliency. For this reason, when “employee” is used in this paper, it refers to all levels of individuals employed by an organization, not just workers.

If individuals are the weakest link of the cyber security chain, then it follows that cyber security must start on the individual level. Employees must be actively involved in an organization’s cyber security apparatus, as they will likely have access to many of the business’s computers, systems, and networks, and often will serve as the first line of defense in their protection. Executives are targets for their potential access to sensitive information; worker bees are similar targets for attackers to gain access into the network and elevate privileges so they can move laterally to find such information.  They both represent access roads to the same destination.

For this reason security training is best approached collectively. Many organizations require employees to undergo annual user awareness training. However, such training is often viewed as a compulsory necessity rather than an opportunity to inform and educate. Frequent interactive training will better prepare employees for the current threat trends, highlighting the tactics, techniques, and procedures used by hostile actors to gain unauthorized access into targeted systems.

[ ALSO ON CSO: Culture clash: How physical security is impacted by cultural norms ]

Furthermore, such training should bring in executives, management, and employees into the same room where they can share their experiences, thereby educating each other collectively on the types of threats they’ve personally experienced. This type of transparent dialogue connects the workforce as a unifying whole and provides insights into where there are strengths and weaknesses in security awareness.

The socialization of cyber threats among all levels of a company’s workforce reinforces the concept that cyber security is a shared endeavor. For example, social engineering and spearphishing e-mails that target one class of worker may not target another; yet it is imperative that everyone be cognizant of what they entail, how suspicious e-mails can be checked, and what should be done if they are received.

This instills the knowledge that each employee has a vested interest in safeguarding the organization by ensuring its sensitive information and accesses are preserved and maintained.

It’s imperative that accountability and responsibility must not be viewed projected as burdens that punish employees or risk the impeding business operations for the sake of compliance. Rather they must be communicated as opportunities to strengthen an organization’s commitment to protecting information and accesses that support the goals of the business.

A savvy and alert employee can be the impetus for proactively preventing an attack – the clicking on a malware embedded link in an e-mail – before it even has the chance to be initiated. Given the expenses incurred by organizations as the result of someone being duped into accessing hostile links or attachments, this is no small feat.

Communication is integral part in cyber security culture and a critical enabler for employees to become active in the organization’s security efforts. Communication takes several forms; it can be policy guidelines that are directed from executive leadership; it can be worker level individuals reporting potential security incidents prior to their execution; it can be security personnel informing the organization of new threats impacting the sector.

With the advent of bring your own device to work and more organizations enabling employees to work from home, communicating the importance for employees to maintain robust security standards at home has potential work implications as well.  Therefore, educating them on acceptable online behaviors to include the types of information shared on social media will help employees reduce risks at both their residences as well as their places of work.

Many believe that cyber security culture starts from the top and works its way down.  While there is merit to this statement, I would argue that all stakeholders in the ecosystem create cultures collectively.

“Culture” by one definition is “a way of thinking, behaving, or working that exists in a place or organization.” Executives can certainly lead a cyber security culture, but it must be built, developed, and supported by the entire organization for it to be successful. In this way, "we are all equal partners" becomes a reality, rather than a slogan. And it’s in everyone’s best interest.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brian Contos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts