Headline
4 Ways to Help a Security Culture Thrive
Creating and nurturing a corporate environment of proactive cybersecurity means putting people first — their needs, weaknesses, and skills.
Ken Deitz, CSO/CISO, Secureworks
June 13, 2024
5 Min Read
Source: Washington Imaging via Alamy Stock Photo
COMMENTARY
“Underneath every simple, obvious story about ‘human error,’ there is a deeper, more complex story about organization.”
— Sidney Dekker, The Field Guide to Understanding Human Error
In my experience, culture trumps strategy when building and maintaining robust cyber defenses. It’s a self-evident truth that in cybersecurity, all roads lead back to people. At its heart, security is a human problem — one that needs a human-centric solution. That’s what makes culture so crucial.
It’s often said that it’s not the situation that defines us but how we respond. If the worst happens and your company suffers a breach, your security culture will be on the global stage. It will be your north star guiding how you communicate, engage, and respond to all stakeholders. If your culture is lacking, it will inhibit your long-term cyber maturity and fracture trusted relationships. Trust and security exist in a delicate balance, and culture is the glue that binds them together.
During my career I’ve learned valuable lessons about the core pillars of security culture and how to not only create a good one, but nurture it as well.
1. Establish the Right Mindset
First, mindset matters. I’ve worked with organizations where the focus has been on everything that an employee can’t or shouldn’t do. Let’s be honest: That’s an overwhelming list that, even with the best of intentions, people aren’t going to remember or be able to practically integrate into their working days. Instead, I suggest flipping the script — what are the positive actions people can and should take?
For example, if someone at Secureworks gets an email that they are unsure about, they can just send it over to our designated threat team for investigation. The threat team then comes back to let our teammate know whether it’s OK. Regardless, the threat team always starts their response with the same two words: “thank you.” Cybersecurity is a team sport, and each of us plays a part. It’s important to recognize that in all of its forms. That “thank you” also provides encouragement to remain curious and vigilant.
2. Engage With Empathy
A productive and inclusive security culture is one that shuns blame. A culture of blame is counterproductive and makes your teammates feel powerless — the exact opposite of how you want them to feel. If someone clicks, scans, or interacts with something they shouldn’t, you need to know as soon as possible. If your culture points fingers and makes people feel shame, the chances are they’ll either procrastinate about telling you or not tell you at all, and the first you’ll know about it is when red lights start flashing. Cybercriminals take advantage of people, so don’t double the impact with victim-shaming or making an example of the person. Instead, focus on what you can collectively learn from the incident to enrich your cyber strategy for the future.
3. Communicate, Communicate, Communicate
When it comes to cybersecurity, there’s no such thing as too much communication. Just because you’ve sent an email or mentioned something in a company all-hands meeting doesn’t mean that the message has gotten across. People have a lot going on in their jobs and lives. Meet people where they are, and you’ll have much better results.
First, do an audit of the communication channels that your business has — intranet, Viva Engage, Slack, Teams, email, team and company meetings, etc. — and devise a communications strategy. Which messages resonate best across which channels? If you’re giving an update on a strategic initiative, a 10-minute slot in the company all-hands could be the appropriate forum. But if you’re aware of an active QR phishing email campaign, you likely want to reach all employees as quickly as possible, so you might use a combination of email and internal message boards.
It’s not just about matching the right message to the right channel, but the person as well. If I were the only person to talk to our Secureworks teammates about cybersecurity, it would be easy to zone me out. That’s why we empower all leaders to talk about security in their team meetings and why our CEO underscores our investments in this area during company meetings. Different people bring different perspectives, and that’s crucial to conveying the importance of cybersecurity.
4. Stay on Your Toes
New and emerging technologies bring opportunities and challenges. Generative artificial intelligence (AI), for example, can offer teammates productivity gains. But if you don’t create a safe playground for them, they’ll develop their own ways to access and engage with these tools. This, again, comes back to meeting people where they are. We’ve made it easy to interact with and use AI within a safe environment that we’ve built. It’s a win-win situation.
The threat landscape evolves rapidly. Deepfakes, for example, are becoming more advanced and therefore have the potential to cause damage. Typically, they cultivate a false sense of urgency aimed at panicking people into taking action, such as transferring a large volume of money. Cybercriminals are looking to manipulate the dynamic between the executive they are impersonating and the employee. That’s why it’s so important we encourage people to question the situation and give them access to simple tools that let them validate the identity of the person they’re talking to.
Cybersecurity Is a Team Sport
What I’ve outlined above doesn’t happen in isolation. You need to work across many different functions within the business — from HR and communications through to legal and beyond. Be clear about your shared objective with these teams: why you would like their support and the impact you believe working together will have. Share your plans and show them why their teams are so integral to the plan’s success. A shared goal galvanizes the whole business.
And so we find ourselves back at the beginning, with trust and security. A good cybersecurity culture trusts and empowers teammates to make good decisions. In turn, that trust fuels a more productive relationship between cybersecurity and the business. Culture is a living entity that needs to be continuously nurtured. Give it the dedication it needs, and your businesses will be safer as a result.
About the Author(s)
CSO/CISO, Secureworks
Ken Deitz serves as chief security officer and CISO at Secureworks, working his way up from director of corporate incident response team. He served in the US Navy as a lead analyst in global network exploitation, then became a senior information security analyst at Advanced Concepts, Inc. He worked as branch chief of fusion cell at United States Cyber Command until he joined Secureworks in 2011.