Millions, if not, billions of pounds are being poured into cybersecurity to best protect businesses from the detrimental attacks that seem to be making everyday news. CISOs are well within their rights to invest in the latest security defences and technology to ward of cybercriminals but this could all be undone as a result of an internal issue – human error. A staffer could in click a phishing email or an employee could forget a device outside the company perimeter. In fact, the 2020 Verizon Data Breach Investigations Report revealed miscellaneous human errors were found among top causes of breaches. It just goes to show, no matter how much is invested, whether time or finances, a mistake by an employee can unravel everything.
It’s for these reasons that security professionals are always cautious, but this attentiveness is often viewed as a hinderance by other areas of the business. How can this negative perception change and what can be done so that all facets of the enterprise are pulling together in the same direction to a better security culture?
Attitude towards security depends on culture
The perception and attitude towards the security department, and of security as a whole, hinges on the organisation’s broader corporate culture. If security is engrained into the fabric of the business, its operations and how employees conduct everyday tasks, then cooperation with security requirements can be seamless. It's about having people care and take pride in the organisation they work for and to pull in the same direction. This requires an understanding that security culture is a subset of (and influenced) by the larger enterprise’s overall culture which the boardroom, CISO and security team can help build.
This can be elevated further by initiating security programmes that champion individuals or advocates within the business who take the extra steps to keep the organisation secure; for example, flagging security issues that the security team would otherwise be unaware of and thus creating a team ethic built around security.
There is also an onus for security professionals to operate as partners rather than blockades. Build a friendlier relationship with the wider business; be more visible and; most importantly, be more collaborative. We need to do away with the stereotype of the security department being the "department of no." Instead, we need to be seen as the department that facilitates business goals and processes in a way that best manages organisational risks at an agreed-upon level.
Help employees gain a better understanding of security
Creating a security-aware workforce should not be underestimated and is a key component in helping the wider organisation understand the challenges security personnel face. However, implementing this is easier said than done. A common mistake is assuming that providing the right information will naturally lead to employees taking the right actions.
But any parent will tell you that people just don't work that way.
There are three factors that need to be observed to get the best response:
- Just because I'm aware doesn't mean that I care
- If you try to work against human nature, you will fail
- What your employees do is way more important than what they know
It all comes down to understanding human nature and working with (and within the bounds of) human nature to drive results. Anything else is really just throwing information at people and hoping for the best; it might check a compliance box, but it won't prevent a breach.
Getting the right security awareness program to align with the culture
Effective security awareness programmes will focus on knowledge, beliefs, relationships, and actions/behaviours. The only way to do that is to make information relevant to people's lives. This means understanding that each employee is an individual and is operating within different cultural contexts as influenced by their upbringing, profession, specialties, peers, regions, and social expectations. All of this will impact how information gets encoded/internalised into beliefs (or not). We must never forget that humans are emotional beings. So, if we can influence our messages with emotional context, those messages will be registered by the mind as much more relevant and 'real' than simply presenting information or facts.
Good security awareness programmes also place a high value on behaviour science and designing for the behavioural outcomes they want. This is one reason why simulated phishing programmes are so popular – because they are effective at measuring and shaping behaviours. Working with human nature means accounting for how humans will naturally behave in situations and then finding ways to naturally nudge the behaviours we want to see or to provide employees the necessary tools, training, or other situational elements to make the task as easy and natural as possible.
External security partners or vendors are also an important cog in helping security teams convey the necessary messaging of security awareness and collaboration. These trusted partners – while providing the necessary technology to secure the organisation – can also provide training material, white papers, industry insight, webinars or videos to help bring awareness to the importance of security and highlight the critical function the security department plays.
Security needn’t be seen as a barrier, annoyance or obstacle. If it is, this mindset needs to be changed. Avoid saying “no” unless absolutely necessary or it jeopardises the security of the business. Instead, work with the wider team to reach the end goal in a safe and secure manner. The CISO and security department must initiate these actions, otherwise this reoccurring cycle will continue. Remember, the only things security should be preventing is cyberattacks.
Author: Perry Carpenter, chief evangelist and strategy officer, KnowBe4