Culture: Making Security Normal

Four Pillars That Drive Culture

Throughout my career in cybersecurity, I worked hard to find the right balance between building a strong security culture and managing risk through expensive tools. There is debate on how much of a difference a strong culture will protect a business as opposed to large investments in security tools (technical controls) designed to stop and defend against attacks.

The truth is the best approach to cybersecurity is one that has layers. People, process, and technology must all work together. Each layer has its strengths, and if you do it right, you create a tight defense where each layer covers up the weaknesses of the others. This means that investments in technical controls are most effective when the organization has also invested in a strong cybersecurity culture.

What do I mean by a strong culture? Security is a shared responsibility, and regardless of the size or scope of your organization, everyone has a role to play. What that role is may vary from person to person, but there are a few concepts that every organization can focus on. These are foundational, and I refer to them as the 4 Pillars of Cybersecurity Culture.

BUILD THE FOUNDATION

Ownership – Understanding Roles

Building a culture starts with clarity. This means everyone knows and accepts they are an important part of how a company defends itself. If this concept is understood by all, it makes the rest a lot easier.

Action: Culture is driven top down. Leaders must establish priorities through clear policies, goals, and regular communication.

Readiness – Knowledge and Awareness

Employees need to be aware of the types of threats they may face and what to do about them. Leadership needs to make sure its staff is prepared through training and awareness programs. Staff need to take this training seriously.

Action: Implement a Training and Awareness program that is easy to understand, keeps staff engaged, and not only explains threats they may face, but also instructs them on what to do when they face them.

Behavior – Do the Right Thing

People are often the last line of defense, and a single mistake can have a significant impact on the entire company. Once ownership is understood and people are prepared, it comes down to behavior. If done well, being able to recognize threats and knowing what actions to take becomes a natural response.

Action: Find ways to make it easier for staff to take action when a threat presents itself. Set up an email account that staff can send suspicious emails to so they can be evaluated. Keep an updated contact list available so staff can quickly get in touch with someone when something goes wrong. Celebrate when someone prevents an attack so that everyone is encouraged to do the same.

Consistency – Everyone Rowing Together

This might be the most important pillar. Individuals can have a huge impact on security, but when the entire organization is on the same page, security is much more effective.

Action: Host regular cyber scenario meetings. Sometimes called table-top exercises, it is an opportunity to discuss different threat scenarios as a group. Present a real threat that your company might be exposed to and talk about how you would respond. This gives everyone a chance to agree on the right thing to do so that when a real attack happens, everyone is prepared.

SUMMARY

Creating a strong cybersecurity culture is foundational to the effectiveness of your security program. Staff should feel like they are part of a team with everyone doing their part. This “we are all in this together” approach helps foster a sense of trust and accountability, making security a priority and not an afterthought.

And please remember this is more about the journey than the destination. Incremental improvements add up quickly, so don’t feel the need to tackle everything at once. Do what you can with what you have. With a security-first approach to how you run your business, your cybersecurity journey is on the right path.

HOW CAN SECUITY MOMENTS HELP?

Security Moments offers an affordable Training and Awareness program designed specifically for small businesses. Short, engaging videos, quizzes, and quarterly cyber challenges, all for less than $10 a month. You can also visit our YouTube channel, where we post our monthly Practical Moments episodes that highlight real-world situations that we all face, taking the mystery out of security. Keeping your staff educated and informed is one of the least expensive and most beneficial ways to keep your business Safe and Secure.

WHAT’S NEXT?

In my next blog, I will discuss how a systematic approach to identifying, prioritizing, and managing Risk can help you focus on what’s truly important.