Culture and Commitment

Written By Rock Lambros

Last week, I discussed the importance of establishing a cybersecurity steering committee to align with the COSO principle of Establishing Operating Structures under Governance and Culture. As a reminder, COSO has 5 guiding principles, and we are still within the first guiding principle of governance and culture that has five points:

1)    Exercise Board Risk Oversight

2)    Establish Operating Structures

3)    Define Desired Culture

4)    Demonstrate Commitment to Core Values

5)    Attract, Develop and Retain Capable Individuals 

This week, I want to discuss how cybersecurity applies to the 3rd and 4th points: Define Desired Culture and Demonstrate Commitment to Core Values. 

I’ve decided to combine these two principles because they go hand-in-hand. Do a quick Google search on recent cybersecurity incidents, and you’ll see that the root cause of just about every cybersecurity breach involves every cybersecurity program’s weakest link – People

We often talk about people, process, and technology. Notice how people come first. Let’s face it; as cybersecurity professionals, we generally shy away from the squishy topics like people and culture.  

There is a misconception that cybersecurity personnel consist of a bunch of black-hoodie wearing introverts who can work for days-on-end in a basement without speaking to anyone. We HAVE to break that stereotype. Like it or not, soft-skills are REQUIRED to establish a solid security culture. A strong security culture cannot grow organically. It is like a young child that is counting on you to nurture and nourish.    

Your organization’s core values should consist of a strong cybersecurity culture, and your cybersecurity culture should align with your organization’s core values. Your organization’s core values are defined by the board of directors and the executive leadership team.  

When an organization’s key leadership directs and believes in a strong cybersecurity culture, and when your cybersecurity policies, awareness training, employee accountability, etc. emphasize your organization’s core values--it is relatively easy to inspire employee commitment to cyber-hygiene. 

There is no single definition of a strong cybersecurity culture.  Nor is there universal agreement upon what elements must be present.  However, it is my experience that strong security cultures exhibit the following five essential elements: 

1.     Security culture is not a thing you do as an organization.

a.     It is what YOU ARE as an organization.

b.     Security culture is emphasized and embedded into every technology and process decision.

2.     Trust.

a.     There need be a high level of trust between employees from the executive level to the individual contributor.

b.     Trust is typically built upon transparency, honesty, and commitment follow-through.

c.     Strive to establish and maintain trust within your immediate team and from within the team to the rest of your organization. Remember the old adage, “Trust takes years to build, seconds to break, and forever to repair.”

3.     Awareness, awareness, and more awareness.

a.     How can people be held accountable for their actions if they are not aware of what is required of them? Security newsletters and annual training videos are not enough.

b.     Successful security cultures elevate security training to the same levels as that of the organization’s safety and ethics training.

c.     Consider bringing in marketing and education professionals to develop and manage your cybersecurity awareness and training programs. They will probably develop and deliver more engaging content that employees will be less likely to ignore.

4.     Cybersecurity champions

a.     Who are the security champions across your organization? Can you name some? If not, then encourage the development of a cybersecurity “Champions Program”.

b.     Much like the cybersecurity steering committee, a good “Champions Program” develops key individuals, organization-wide, to evangelize the importance of your organization’s cybersecurity strategy, goals, and challenges.

c.     Gain executive support for the “Champions Program” by building a business case around how the program will contribute to your organization’s strategic goals.

5.     Make it fun and rewarding.

a.     Think outside the box-- like bringing in marketers and educators to develop and run your cybersecurity awareness and training program.

b.     I am not a psychologist, nor am I an expert on behavioral science, but I don’t need a Ph.D. to know that people tend to be more engaged and retain more information when they’re having fun.

c.     Use the carrot and not the stick. A “Champion of the Month” prize for the person who reported the “coolest” phishing email can go a long-way toward supporting and sustaining an ongoing security-minded culture. 

Next week, I’ll wrap up the COSO guiding principle of governance and culture and talk about the final point of Attract, Develop and Retain Capable Individuals.

Let’s continue to engage. Please leave your comments. If you want to have a direct conversation, please send me a message and we’ll set something up. Thank you so much for watching and have a great week.

 

Rock Lambros
Previous

The Cybersecurity Talent Shortage is BS!!!
Next

Cybersecurity by Committee