teissTalk: Creating a security-conscious culture

On 29 June, teissTalk host Tom Langford was joined by Gry Evita Sivertsen, Cybersecurity Manager, PwC; Ishaaq Jacobs, Chief Cyber Security Officer, Sasol; and Penny Jackson, Security Awareness Lead, John Lewis & Partners.

 

Views on news

 

In general, many companies believe the rise of remote work is eroding their cybersecurity. However, a study found that those in remote work positions are actually more aware of cybersecurity issues than those who are onsite, and take more measures to guard it. The article highlights how complacent employees are at the workplace thinking that security will be taken care of for them, rather than praising home workers for their alertness. Those working remotely may also have more time and less distractions to be more security aware and also safer thanks to controls implemented after Covid. There may be differences on a generational basis too. Those less tech-savvy may be more cautious than digital natives.

 

How to build a sustainable security culture

 

There is a strong cultural element to security awareness. The litmus test to a good security culture is how willing employees are to talk to their security professionals. If sanctions against someone who has made a blatant security error are harsh (e.g., they get fired), others will refrain from reporting for fear of losing their position. If staff feel they’re caught out with security tests they ‘ll be less likely to trust the organisation. It’s not just security experts but also the CEO and the C-suit who have to communicate the importance of cyber security and lead the messaging. Making individual cyber hygiene visible via dashboards can also give a boost to security awareness , as well as render the commitment of the management to security visible. When building a security culture from the bottom up, it’s key to find people at the top level who will champion and demonstrate good practice. Desktop exercises can be useful when involving executives in cybersecurity programmes, as they will be more ready to find the time for and pay attention to an external person. Depending on the type of business, risks other than cyber may be at front and centre, which makes it harder for security people to cut though the noise. The practical aspects of creating a security culture include benchmarking. You can find benchmarks in the public domain for your industry or for similar businesses that you can adopt.

 

The panel’s advice

 

You shouldn’t tell employees what NOT to do but explain to them what will or could happen if they do certain things.

 

Create conversations about new threats.

 

Put a positive spin on risks and explain the new opportunities that implementing controls can create.

 

Establish a culture where employees see how cool cybersecurity is and try to implement controls in their personal online lives too.

 

Make your cybersecurity training multi-channel.