GETTING SECURITY CULTURE RIGHT

2.27.23 > Sean Costigan, PhD

In the face of withering cyberattacks and increasing regulatory pressures, security cultures are coming under renewed scrutiny. Ask yourself: do people in your organization feel free to discuss or flag possible cybersecurity problems? For most, the answer is probably no. And the reason is likely because people are afraid of being wrong. People may also fear possibly losing their jobs or the organization’s time or money. Such concerns point to a serious problem: poor security culture.

Culture is easy to overlook and hard to get right. While it’s a snap for organizations to instill a blame culture, which is commonly reinforced through poor cybersecurity training, it is much harder to build resilience and help people become the backbone of secure organizations. Culture needs to be understood as people’s shared attitudes and beliefs – their system of shared knowledge and values – and that it has a direct impact on resilience.

By now it should be abundantly clear that a poor security culture makes everyone’s job more difficult. For CISOs, whose tenure is the shortest in the C-suite, problematic points of view make their work even more challenging still. For example, the ugly phrase “one throat to choke” is regularly invoked to describe the faulty and outdated premise of placing sole responsibility on the CISO or CIO for what should be understood as organizational responsibility. The phrase itself indicates an unnecessarily adversarial view that pits security professionals against all comers, ensuring a poor outcome.

The pressure is getting to CISOs and it is not making the job of securing organizations any easier. When recently polled, 88% of CISOs reported they were moderately or tremendously stressed and 48% noted mental health concerns. CISOs working for government agencies and corporations have an enormous burden as well as an attractive skillset which is reflected in their short tenures: an average of 2 years, or roughly half that of chief information officers, according to a study by Korn Ferry.  (And it is not just CISOs. Recent studies report that cybersecurity professionals suffer greatly from the stress of their positions.)

Describing your Security Culture

Does this bleak binary describe your security culture: When things are working, it’s all good – but when it’s not, your hair is on fire? If so, it’s time to examine your security culture. To that end, organizations would do well to take a page out of aviation security and their organization-wide “just security” conception of security. Far from being a no-blame culture, which isn’t practicable in any event, just security places blame at the appropriate place, time and level. The focus on security culture has made aviation one of the safest industries, with expectations of even greater improvements to come.

The “see something say something” model is another to consider. It started as a national model to raise awareness of terrorism but has found wide applicability in other settings. Out of the box, the model posits that we all have responsibility for safety and security. However, with cybersecurity and the concept of “securing the weakest link” the results have been mixed at best. The reasons for that may be varied, but one stands out in particular: blame.

Training in cybersecurity has very typically been of the “gotcha gangster” variety: Employees are hit with emails seeking to entice otherwise well-meaning people into viewing malicious clickbait. Failures by employees are used to justify the training. Or employees are left to click through mind-numbing rote exercises to ensure compliance with policies, many of which are suspect. Even if you were to argue for a more charitable version of events and ostensibly train people out of certain behaviors, training hasn’t caught up and we are still ensnared in the web of blame and shame.

With so much at stake, it’s time to flip the script and ask what if people aren’t the weakest link, but are in fact a critical element in your organization’s security? From there, it’s but a hop to improve your organization’s security culture and footing. Whether that is increasing automation to reduce drudgery, proactively finding problems and solving them, or distributing the responsibilities for risk management, we are apt to do better when people are treated better. Nothing less than organizational success is at stake.

 

* Sean Costigan is this year’s Cyber Security Summit Co-Chair. He is the Director of Cyber Policy at Red Sift and a professor of cybersecurity at the George C. Marshall European Center for Security Studies.