The cybersecurity threats and risks currently facing organizations reach beyond the scope of the IT or cybersecurity department. Malicious attackers and risks threaten a company’s reputation, finances, business continuity, customer base, and compliance adherence just to name a few. A major risk factor here are employees, who, whether intentional or not, are often the vector through which compromises occur.
Given the scope of risk, security leaders need to develop a culture of cybersecurity for the organization as a whole. Security awareness training is no longer enough — all departments and individuals need to buy into why cybersecurity is important and consider it a crucial aspect of everyday company life, rather than just checklists and assessments to consider complete.
Here’s how to create a healthy culture of security and ensure your internal departments are on-board with your overall strategy.
While a cybersecurity leader needs to advocate and champion cybersecurity, they can’t be the only one. Cybersecurity hygiene and culture needs to be pushed by executives, heads of departments, and single influencers within each department. However, to ensure these individuals are bought in, you need to have the right communication strategy tailored to each.
One of the best ways to ensure stakeholders are in agreement with you is to play to their incentives. For executives, you may need to talk about the financial and reputational risk that’s at stake, which would be most compelling to them. For marketing teams, encouraging compliance may mean you can streamline certain tools because it would make them comply with GPDR/CCPPA standards. When communicating, make sure you’re finding ways to make their job easier or safer, rather than just giving them more responsibilities.
Cybersecurity may not have the best connotation. For some departments or employees, cybersecurity may feel like a chore or a function that slows things down, causing employees to try and find ways around having to communicate with your department or follow certain procedures and processes.
However, if you use language that resonates with a department, you may see closer alignment. By using words like “data protection” or “data privacy”, marketing, HR, and finance departments might be more willing to collaborate with you.
Lastly, it’s important to make it clear that this is a shared responsibility across all departments. This message is best delivered from the top down. If heads of departments make the case to work with your team and enforce processes, it’s more likely that the employees will listen and act appropriately. Different departments need to make sure that they’re not putting critical data at risk, accidentally exposing certain assets, or adhering to certain regulatory standards. By letting those departments know that you’re sharing that responsibility with them, they’ll be more receptive to your efforts.
Engaging in security awareness training, testing, and phishing simulation is a helpful tool to promote cybersecurity hygiene and ensure your employees are actually taking appropriate actions to prevent attacks and reduce risks.
However, your follow-up strategy is an important consideration. If you’re blaming, shaming, or publicly acknowledging an employee’s shortcomings, you’re creating a difficult environment that fosters negative associations with your department. Instead, you should calmly approach any employees who may have fallen for a fake phishing scam and assure them that they won’t be punished and that this happens often in any company.
You should also look for ways to reward and celebrate positive actions. For example, you can announce some kind of gift or reward for departments who are at 100% MFA use. You can gamify phishing simulations and celebrate departments who are the first to spot and report a scam email.
These might seem like small actions but do make a positive impact in how your department is seen while also promoting cybersecurity hygiene.
Collaboration is necessary to ensure other departments are willing to work with you. This means your department should be visible, open, and communicate often. If you’re just giving and telling other departments what to do and reaching out only when they’ve done something wrong or failed to follow a specific process, you won’t be seen favorably.
Don’t just leave employees and departments to their own regards. This will likely result in a culture that doesn’t see cybersecurity as essential, and may also result in elevated risk for the entire organization.
In the same way that you adapt your cybersecurity strategy to the current threat landscape and the needs of your internal environment, you should also be considering what the current culture looks like for your organization and adapt your cybersecurity strategy accordingly.
For example, the rise of remote work, hybrid departments, and the general increase of BYOD devices connecting to your organization’s environment has elevated the risk posed to your organization. To ensure you have visibility and can detect potential threats, you may want to deploy MDM or similar device monitoring tools.
However, these kinds of tools face increasing amount of resistance and they may be seen as adversarial aspects to a healthy work-life balance which is an increasing priority, particularly for workers to work from home.
This means the use of any kind of device or employee monitoring software will face significant push-back and damage how a cybersecurity department is seen. Instead, consider options that will promote cybersecurity in a way that employees are more likely to use.
For example, if there's a budget for it, you can provide employees with a password manager and/or VPN software for their work devices as well as their personal devices. These tools often have a business and/or corporate option which can alleviate the costs associated with it.
These tools should be given to employees and encouraged rather than mandated. By offering them to personal devices, you can also encourage the use of these tools personally which will foster general use and improve overall cybersecurity hygiene across multiple departments.
Even the best cybersecurity strategy can have its effectiveness hampered by an organization who doesn’t want to participate. This can result in a security department that can’t get the appropriate budget for more headcount or that waits a long time for tool, vendor, and contract approvals. It can also result in an overall lower adoption of tools and processes, which hinder how well a security department performs.
Cybersecurity leaders need to be their own department’s advocate, which requires some soft skills. However, by ensuring that there’s a healthy cybersecurity culture and that your department is seen in a positive light, you can more effectively secure your organization.
Don’t miss out on exclusive content and exciting announcements!