Building a cybersecurity culture has always been an important element of an organization's cybersecurity strategy. But experts believe the massive shift to remote work induced by the COVID-19 pandemic elevated the topic in the minds of security and nonsecurity pros alike -- with good reason.
Nearly 60% of security professionals said working from home has made their organizations more vulnerable to cyber threats, and 60% of organizations have detected a moderate to dramatic increase in cyber attacks during the pandemic. That's according to results from the fourth annual Cybersecurity Report Card Survey by Seattle-based threat intelligence company DomainTools.
As an organization's risk profile changes, so must its cybersecurity culture, according to Candy Alexander, president of Information Systems Security Association (ISSA) International, a not-for-profit international organization for security professionals, and CISO at NeuEon Inc.
"We need to identify the new risks, articulate the new risks and make sure that's aligned with the business strategy," Alexander said.
Responding to an evolving risk profile is not just the province of security professionals, Alexander stressed. "We need to really look outward and not inward." The behaviors and mindset required to deal with security risks -- the company's cybersecurity culture -- must be organization-wide.
Indeed, building a culture of cybersecurity is not just important for the organization. "You need to build it for your customers as well. You need to focus on the entire ecosystem," said Aanchal Gupta, vice president of Azure Security at Microsoft.
What is a cybersecurity culture and why is it important?
Jinan Budge, principal analyst at Forrester Research, defines cybersecurity culture as a work environment where every person is excited by cybersecurity and motivated to make it better; people understand why cybersecurity is important; and they see themselves as part of the solution.
Fostering a cybersecurity culture also ensures that employees are aware of what the risks are, or could be, and understand how to respond to or report such risks. This awareness, in turn, helps better protect an organization by creating a strong line of defense against cyber attacks and possible data breaches, Alexander said.
Challenges of creating a cybersecurity culture
However, the path to creating a cybersecurity culture -- one that will improve business and decrease risks -- can be riddled with challenges.
The lack of an adequate budget for security is one major obstacle. Building a cybersecurity culture without buy-in from the company's executive ranks is another. Other challenges security teams face, Forrester's Budge said, include the following:
- Security has a bad rap. The "brand of security" is an important element in creating a cybersecurity culture. The fact that security teams are not always respected or understood is a hurdle security teams must overcome by working to change people's attitude toward security.
- Internecine fighting. The effort starts in the security organization, but often, there's a lot of "toxicity" within the security teams themselves, Budge said, which impacts the broader organization and can be an impediment to building a security culture.
- CISO lacks the "right stuff." The organization's top security officer must be up to the job. Finding a transformational CISO who can lead and build a cybersecurity culture -- and make it a priority -- will be a challenge for many companies.
How to create a cybersecurity culture: 5 best practices
Building a security culture is a matter of tactics and strategy. It is a journey that calls for articulating the goal and figuring out how to reach it, experts agreed. It requires people skills. Taking an empathetic approach, making it personal and relevant to your audience, acting as a close partner to the product and engineering teams, and aligning the security culture with the values of the broader corporate culture are all effective tactics for ensuring a successful security culture implementation.
"People think of security as boring and are reluctant to care about it, so it is important to create an emotional connection to make it effective," Budge said.
Here's an overview of five key best practices that are guaranteed to help information security professionals create organization-wide cybersecurity culture.
1. Start in the C-suite and make security relatable
The first step toward successfully creating a companywide culture of security is for security leaders to begin working with the C-suite, ISSA International's Alexander said. Security pros should understand and align with the business strategy and then identify the risks associated with that strategy and appropriately communicate those risks in business terms.
"Once the executives understand -- in relatable terms -- what the risk is and what the ask is, then they're able to follow through … and support you," she said.
2. Make it human-centric
Security teams often mistakenly equate having a "human-centric" security program with implementing security awareness training that every employee is required to take, Budge said.
"Truly, you need to start with the people," she said.
This means analyzing stakeholders by understanding their behaviors and challenges and figuring out what needs to be changed and how to implement that change.
"Then, based on that … you create your security culture initiatives for each one of those stakeholder communities," Budge said.
3. Make security awareness training fun and rewarding
Gupta believes building a cybersecurity culture needs to be a team sport. Making security awareness training fun and rewarding and encouraging a "growth mindset" -- that is, an openness to learning and trying new things -- are imperative to success. Security awareness training that involves role-playing and simulation games modeled after TV shows lands well with employees, she said, and helps improve learning retention.
Phishing awareness training, for example, can be made more effective when it comes with a reward akin to a bounty program, where employees get rewarded for spotting a simulated phish. The bounty program can also be extended to reward an employee who recognizes an actual phishing campaign and promptly reports it, according to Tim Helming, security evangelist at DomainTools.
"Investing in good-quality, well-executed user education is absolutely vital," Helming said. "If users are well-trained from a 'if you see something, say something' standpoint in the cyber realm, then they can be an incredibly valuable asset to us."
However, it is important for the culture to be collaborative and positive and to steer away from a culture of blame and fear, he added.
4. Invest in the right security tools -- and develop security talent
Security tools are an integral part of a layered defense, but they are not the panacea for cyber attacks. Helming advised having a well-thought-out complement of cybersecurity tools that can augment the "human aspect" of cybersecurity.
Investing in SIEM solutions that use machine learning techniques, for example, can help empower security operations center staff by augmenting their detection and response capabilities, improve the signal-to-noise ratio and enable security analysts to focus on the threats that matter, Microsoft's Gupta said.
However, it is important to remember that, as technology evolves and cyber attacks increase, the cybersecurity skills shortage is only getting worse. It is imperative to recruit, train and retain cyber talent from a wide variety of backgrounds in order to maintain advantage, Gupta added.
"We have to make sure that our teams are also as diverse as the problems they are trying to solve," she said, citing studies that show diverse teams make better business decisions.
5. Have a CISO succession plan in place
An essential, but often overlooked, element in building a successful cybersecurity culture is to have a CISO succession plan in place, according to Jason Fruge, vice president of business application cybersecurity at Onapsis. That's because, while a culture change can take up to five years, the average tenure of a CISO is just over two years. Companies should, therefore, make sure they have a successor within the organization who can continue that vision to implement that security culture change.
"Otherwise, we are going to continue to start over every couple of years and never really get there," Fruge said.