Creating a Culture of Cybersecurity
Even the best made cybersecurity governance programs cannot predict every situation that should be guided by a principle or policy. At some point, you will have to rely on the employees of your organization to do the right thing. How do you train every employee to do the right thing every time? The answer is you cannot; no amount of training will accomplish this. What you must do is change the culture of cybersecurity over time where doing the right thing becomes intuitive. Training will help, but is not the sole answer.
Culture begins at the top. If the management of the organization does not play by the same rules or actively participate in in your organization’s cybersecurity program, the culture will not change. I have found the best way to change the culture is to identify respected change agents and disburse them throughout the organization, having them lead by example, subsequently changing the culture. Change agents include:
Senior management
Senior leadership from the chief executive officer to the chief financial officer must actively and visibly support cybersecurity with more than the occasional obligatory email. They need to be seen in awareness training, oversee data breaches, and speak with members of the cybersecurity team.
Business line management
If the business leaders with budget authority do not believe in the value of cybersecurity – and fail to invest in their own people and projects without waiting for corporate funding – the culture will never change.
Cybersecurity champions
Champions are strategically named and placed throughout the organization from the boardroom to the shop floor. They constantly pose the questions, “Are we secure?” and “Is this the right thing to do?”
Employees
Employees are the human firewalls, the line of defense. They should have the “if you see something, say something” attitude.
Contractors
Contractors need to be viewed as partners or employee extensions. They play an integral role in reinforcing the culture of cybersecurity.
Excerpted from Building Effective Cybersecurity Programs: A Security Manager’s Handbook, by Tari Schreider SSCP, CISM, C|CISO, ITIL Foundation