Why — and How — to Create a Culture of Cybersecurity

You should have the best security technology you can possibly have, and your organization should have the most effective security policies it can create. But ultimately, the most powerful way to protect the organization is to create a culture of security. Whatever your place of business — whether it’s a large or small organization, healthcare provider, academic institution or government agency – creating a culture of cybersecurity from the break room to the boardroom is essential.

Why is a culture of security so important? Think of the employees as the company’s first firewall. Staff stand between an organization’s information assets and the thieves who want to plunder them. Intrusions that are based entirely on technology are rare. Most intrusions result from fraud that takes advantage of employee carelessness, lack of judgment or even criminal intent.

Think of your company as a community. Most observers say there are three primary factors that help ensure law and order in a community.

1. Risk Perception

Members of the community can only act to prevent or report crime if they know what it looks like and have a certain level of fear about it. This is why the police departments in some communities work so hard to establish trust in their communities, and it’s the origin of the byword, “See something, say something.” In a company, you can take advantage of risk perception with user awareness training. Teach all employees what cybercrime looks like and how it is likely to affect them.

2. Social Norms and Conformity

Most human beings behave well because of social norms — informal understandings about the proper way to behave. Most of us go through our everyday lives with a sense of these informal understandings. Yes, the laws are there, but the opinions of our neighbors are keeping us in line. Just like every community, every organization has a culture that includes social norms, often ones we aren’t even aware of. Finding ways to incorporate security into those norms will go a long way toward protecting your organization’s assets. Here’s how you incorporate security into your organization’s social norms. First, make sure the leadership of the organization stresses the value of security and backs up these values by modeling appropriate behaviors. A CEO who talks about the importance of security and then writes his or her password on a sticky note on the computer monitor will harm more than help the culture of security.

Second, provide more advanced user training that teaches skills in addition to awareness. Give it a positive value. The Logical Operations CyberSAFE program, for example, culminates in certification so that those who successfully complete it have credentials providing tangible evidence of their value to the organization.

3. Routine Monitoring

Studies show that companies with skilled incident response teams suffer fewer catastrophic data breaches and lower average cost when data breaches do occur. This is because incident response teams reduce the “dwell time” of criminals that manage to invade your network. But incident response teams themselves also contribute to the culture of security, because their presence reminds employees of the importance of security.

My advice is that you designate, train and support an incident response team and promote their visibility within the organization. You may even want to consider ways to enhance the team’s prestige: stage a competition among candidates to join it, regularly report on it in the company newsletter and have its members visit and give presentations on security to other departments. Promoting the importance of the incident response team can contribute both to establishing social norms and conformity and the reassurance that contributes to a sense of stability that allows people get on with their work. The Logical Operations’ CyberSec First Responder program is an example of a way to train and certify an elite incident response team.

It’s not all about technology and law enforcement. You need to find as many ways as possible to support your employees’ adherence to security policies, exercise of good judgment and recognition of fraud. Risk perception, social norms and routine monitoring can only help.

About the Author

Bill Rosenthal returned to his roots by acquiring Logical Operations in April 2012 and currently serves as CEO. Bill first joined Logical Operations in 1987 as VP of Sales and Marketing and became president in 1992. As president, he oversaw the leading supplier of computer training products worldwide and supervised the operations of Ziff-Davis University, the leading web-based computer skills site. Bill’s other entrepreneurial endeavor includes his acquisition of Communispond in 2009, where he also serves as CEO. Communispond is a world leading presentation and communication skills company, based in New York with several offices across the globe. Bill acquired Communispond from Informa Plc when he returned to the USA after the building of the Informa Performance Improvement brands in the Middle East and Asia. While residing in Singapore, he managed the portfolio of Informa Performance Improvement (training) companies in Asia, which included AchieveGlobal, ESI, Omega Performance and The Forum Corporation. With offices throughout Asia and the Middle East including Singapore, Beijing, Shanghai, Hong Kong, Taiwan, Sydney, Melbourne, Auckland, and Dubai; Bill was responsible for all aspects of the business including sales, marketing, and the delivery of courses by certified faculty. Prior to joining Informa Plc, Bill was CEO of Digi-Block Inc., a K-12 education publisher focusing on mathematics (). Bill also served as President of Kaplan College, a division of Kaplan Inc., the well-known test preparation company. In addition, Bill developed and launched the online college, which offers associate’s and bachelor’s degrees and certificates in business, information technology, nursing and law. Bill Rosenthal received his B.A. in psychology from the University of Rochester in 1983.