{"id":1454,"date":"2020-01-13T16:39:08","date_gmt":"2020-01-13T16:39:08","guid":{"rendered":"http:\/\/72.52.228.46\/~itegriti\/?p=1454"},"modified":"2021-04-12T02:55:38","modified_gmt":"2021-04-12T02:55:38","slug":"creating-organizational-cybersecurity-culture","status":"publish","type":"post","link":"https:\/\/itegriti.com\/kw022024\/2020\/cybersecurity\/creating-organizational-cybersecurity-culture\/","title":{"rendered":"Creating A Cybersecurity Culture In Your Organization"},"content":{"rendered":"

It was only a few years ago when many viewed cybersecurity as a compliance-based checkbox exercise. Thankfully, cybersecurity has since matured into a threat- and risk-based collaborative process that is ongoing for many organizations.<\/p>\n

Unfortunately, a major piece of this cultural shift, the very cybersecurity culture of the organization, hasn\u2019t always followed suit. Consider how many organizations you have been a part of, participated in, or heard about where cybersecurity was the focal point for their technical operations team yet individuals within the organization were blamed when policies and procedures weren\u2019t followed. How many times have you heard the term \u201cthe problem exists between computer and chair\u201d or something along those lines?<\/p>\n

Changing the culture of an organization isn\u2019t easy. In fact, I would argue it\u2019s the one aspect of\u00a0 cybersecurity awareness that is the most difficult to achieve. You can\u2019t simply force a new solution or provide a team with training \u2013 it goes far beyond that. It takes dedication, understanding of motivations, identification of behaviors that need changing, and \u2013 above all else \u2013 a willingness to participate. Within this article, we will begin exploring these ideas that are necessary to change an organization\u2019s culture. We\u2019ll do so knowing that a holistic understanding of your people is required if you wish to successfully shift the very nature of the corporate philosophy.<\/p>\n<\/div>

What is the current state of cybersecurity culture?<\/strong><\/span><\/h2>\n<\/div>

Some may argue that an organization which claims to have never been hacked has a great culture.\u00a0 The same folks would likely say that a company that has fallen victim to a public breach has a poor cybersecurity culture. I\u2019d argue that it\u2019s not that easy. Consider the first organization. What if they have been breached but simply don\u2019t know it? As for the other firm, what if this latest incident was a precursor to launching a massive remediation program that moves the company into a far more secure state?<\/p>\n

From an outside point of view, it is next to impossible to understand an organization\u2019s security culture. This is because the people make up the culture, and, in order to approach this seismic shift, you must first obtain a complete understanding of their perceptions of security.<\/p>\n

This leads us to define security culture within an organizational context:<\/p>\n

The fundamental understanding of what cybersecurity includes, the roles and responsibilities necessary for a strong security culture, and the security posture of the organization itself.<\/p>\n

Looking at one example, I spoke with individuals that said, \u201cI don\u2019t need to worry too much at work on what I open or click because they have controls to protect me.\u201d They truly believed that while at the office, they could click on any link, open any attachment, and the security controls in place would protect them 100% of the time. Speaking from my experience as a security professional, there\u2019s no truth to this perspective. The reality is that each and every individual within an organization plays an important part in enhancing the cybersecurity defense team, regardless of the security measures an organization uses to mitigate risk<\/p>\n<\/div>

Addressing the misconceptions<\/strong><\/span><\/h2>\n<\/div>

In regard to the above misunderstanding, we need to look at the internal messaging that is coming across to our employees and ensure those words provide an accurate view of an employee\u2019s role as it pertains to security. At times, a focus on \u201chow\u201d something comes across to non-technical persons is needed to truly understand where an organization stands. Often, this is achieved with the help of a designated group within each department. These individuals are typically referred to as business or cybersecurity champions.<\/p>\n<\/div>

Addressing the cultural gaps<\/strong><\/span><\/h2>\n<\/div>

Once a holistic view of the culture is acquired, you can begin identifying the specific behaviors that need to be addressed. This can be accomplished by knowing which threats are likely targeting the organization, such as CFO fraud or phishing attacks. In order to target these gaps, you must identify the specific behavior you wish to address. Using CFO fraud as an example, let\u2019s examine further.<\/p>\n<\/div>

Targeting CFO fraud<\/strong><\/span><\/h2>\n<\/div>

Below are example sessions on targeting CFO fraud that\u2019s perpetrated through email. Each session looks at a different aspect to demystify actors and their motivations and explore ways to protect against this threat. Please note that this is not a complete list of approaches.<\/p>\n<\/div>