Research points to 5 ways to improve cybersecurity culture
Respondents to a new Enterprise Strategy Group/ISSA survey offered five key points on how to strengthen an organization's cybersecurity culture.
Cybersecurity culture helps merge cybersecurity and the business. New research from TechTarget's Enterprise Strategy Group and the Information Systems Security Association (ISSA) provided multiple suggestions from cybersecurity professionals to help drive this change in five key areas.
The European Union Agency for Network and Information Security defines cybersecurity culture as "the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest themselves in people's behavior with information technologies. Cybersecurity culture encompasses familiar topics, including cybersecurity awareness and information security frameworks, but is broader in both scope and application, being concerned with making information security considerations an integral part of an employee's job, habits and conduct, embedding them in their day-to-day actions."
When organizations embrace this culture change, cybersecurity becomes everyone's job -- developers, line-of-business managers, knowledge workers, executives -- everyone. In other words, everyone is on their best behavior while remaining vigilant for any signs of trouble. Alternatively, organizations that minimize cybersecurity culture delegate digital protection to the CISO and a small team of technologists. And employee sloppiness leads to increasing business risk, compliance violations and cyber attacks.
Most CISOs and business managers I speak with recognize these issues and are making efforts to improve cybersecurity culture and better align cybersecurity with the business. That said, you can't just put up posters, hire motivational speakers or snap your fingers to drive this change.
How to build a cybersecurity-oriented culture
What can be done? Enterprise Strategy Group and ISSA recently asked 301 cybersecurity professionals and ISSA members in the survey "The Life and Times of Cybersecurity Professionals v6" this question. Respondents suggested five areas for improvement:
- Include cybersecurity early in all future business plans. This is the ultimate shift-left approach -- to make sure cyber risk is assessed and addressed as organizations ponder new business initiatives. Think digital transformation or greater use of operational technology and IoT devices, for example. Security teams should be called upon to review planned business processes to understand who will be consuming new applications, where they will reside, what types of devices will be used and what data is involved. Armed with this knowledge, they can create accurate threat models, identify and mitigate risks, suggest controls and figure out how to monitor for suspicious activity.
- Make managers more accountable for security performance. To be clear, line-of-business managers should be measured on their overall business units' performance, but it wouldn't hurt to provide some cybersecurity incentives. For example, business units that do best in areas like security audits, penetration tests and patching cadence and effectiveness should be rewarded accordingly. Business managers are competitive by nature, so they might respond well to this type of cybersecurity gaming.
- Provide more and better security awareness training for nontechnical employees. Security professionals loathe the typical cartoonish security awareness training done at most companies and performed solely for compliance or governance purposes. In lieu of this ineffective method, security experts often endorse more interactive training, such as synthetic phishing or on-demand training based on user behavior monitoring. Regardless, security training should be continuous, not based on an annual online checkbox exercise.
- Emphasize security best practices over regulatory compliance. Industry and government regulations lay out a sound cybersecurity foundation, but unfortunately, too many organizations still think that if they pass compliance audits, they've done all that's necessary for cybersecurity. This behavior was commonplace around 2006. Alarmingly, it is still pervasive today and couldn't be more misguided. Rather than compliance alone, CISOs should stress models such as threat-informed defense and strong program alignment with the Mitre ATT&CK framework.
- Measure and compensate the organization based on cybersecurity metrics. Since cybersecurity is about continuous improvement, it might be useful to provide an organizational incentive based on performance across several cybersecurity metrics, such as password security, email click rates, phishing email reporting and other types of secure behaviors. Even if the reward is something small, like bagel breakfasts or a Friday happy hour, many employees will respond to this type of competition based on perpetual metrics.
Security pros had many other opinions and feedback. See the eBook, "The Life and Times of Cybersecurity Professionals v6" which is available for free download here.
Jon Oltsik is a distinguished analyst, fellow and the founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.