Security doesn’t happen in a vacuum. While security often refers to the tools and techniques that organizations use to protect their users and customers from malicious attacks, it’s so much more than technology and best practices. Strong cybersecurity involves more than just security analysts and IT teams; it starts with culture that makes security everyone’s responsibility. Every login, password, and email can potentially be an attack vector, so while the right technology is a huge help in guarding and protecting your organization, the small, everyday actions and choices of your employees and users matter just as much.
Creating a culture of cybersecurity - the strategy and implementation of education, training, and adoption of security tools and technology for users - is instrumental in a successful security program. Shira Rubinoff, cybersecurity thought leader, joined LastPass SVP Lora Rodstein, to discuss the importance of a culture of security, the challenges of growing it, and how to make it successful. Here are the top takeaways from this important conversation.
Why is thinking about cybersecurity culture important?
A culture of cybersecurity is an opportunity to get all of your users on the same page about what’s important and why. Top-down training and education can absolutely lead these efforts, but organizations should also encourage user feedback and input as part of the overall culture. When users know they have a voice in helping to improve security culture, they feel valued as important sources of knowledge and aren’t afraid to share their concerns or their ideas. Leadership should encourage regular 360 degree discussions between users and leadership. &feature=youtu.beWhy is it important for a business to be proactive with cybersecurity culture?
Shira notes that small organizations are more likely to push back against investing too much time in being proactive, as many SMBs don’t consider themselves at as high a risk of a billion dollar enterprise organization. But modern security threats mean that everyone is a target. Using only reactive strategies to incidents can successfully resolve issues after they happen, but can’t prevent damage, like insider threats, whether malicious or accidental. &feature=youtu.beHow do you get employees to comply with cybersecurity policies?
Some security policies are non-negotiable, but having an open door for ideas and suggestions gives employees a voice and makes them invested in the outcomes. They’re more likely to use the policies if they know that there’s a collective responsibility to not simply follow them blindly, but to really be aware and open to ways to add to or better them. &feature=youtu.beHow much should a company spend on building a cybersecurity culture?
Shira’s number one recommendation is be creative. This means diving into the available budget, assessing other potential sources of funding, and deciding early on what’s a need vs. a want. What gaps will cause the most problems? Address those first. In many cases, it might just be user knowledge or product adoption. Since security ultimately underlies the success of all the teams and efforts for an organization, you might be able to find budget in different parts of the organization by making the case that security requires investments all across the board to protect all resources and critical assets. Investing in low cost steps first can be effective, too. Training has a low barrier to entry and can be engaging and effective when done right. Instead of three hour annual trainings, consider using videos and visuals that are short and focused. Drop short, fun videos (1-2 minutes) in Slack every few weeks. &feature=youtu.beHow do you measure cybersecurity culture?
There’s a few important parts of measuring the impact of your security culture. One of Shira’s priorities in assessing success is feedback. What do the users have to say? What’s the response from people who are being brought into this culture? By prioritizing communication and asking questions about user experience, teams feel more empowered and invested, ultimately leading to better security habits. Leaders who make adjustments based on user feedback can communicate that security culture is a two-way street and all voices are needed to be effective. &feature=youtu.be We’d also recommend:- Regularly monitor and review your cybersecurity measures to ensure they are effective and up-to-date. Create regular management reports showing cybersecurity policy compliance, security incident statistics, perceived threat levels, and recommended actions for remediation.
- Establish a process for responding to and managing potential security incidents, including conducting regular drills and exercises to test your response plans. Run dynamic tests and simulations, such as phishing, to put the education into practice.
