Developing a positive cyber security culture

Board members should lead by example to help promote a healthy cyber security culture. Establishing and maintaining a healthy culture, in any part of the business, is about putting people at the heart of structures and policies. However, when it comes to cyber security, there is sometimes a tendency to focus almost exclusively on the technical issues and to overlook the needs of people and how they really work.

This rarely results in success. We know, for example, that when official policy makes it hard for someone to do their job, or when a policy is no longer practical, that people find workarounds and ‘unofficial’ ways of carrying out particular tasks.

Without a healthy security culture staff won't engage with cyber security so you won't know about these workarounds or unofficial approaches. So not only will you have an inaccurate picture of your organization's cyber security, but you will also miss the opportunity for valuable staff input into how policies or processes could be improved.

You set the tone when it comes to cyber security. Lead by example and champion cyber security within your organization.

We often hear stories of senior leaders ignoring security policies and processes, or of asking for 'special treatment' in some way (such as requesting a different device to those issued as standard). This tells everyone else in the organization that perhaps you don't consider the rules fit for purpose, and/or that it is acceptable to try to bypass them. 

If policies don't work for you as a Board member (that is, if you find yourself doing something different to get your job done more easily), then there is a good chance they aren't working for others either. If it seems that the policy is having a detrimental effect on the organization, work with policy makers to adapt it.

Culture takes time and concerted effort to evolve.  Don't assume that because the Board has endorsed a security posture that it will automatically cascade down throughout the organization. 

Ultimately, the role of security should be to enable your organization to achieve its objectives. It follows that if your cyber security measures aren’t working for people, then your security measures aren’t working.

Some organizations fall into the trap of treating people as the 'weak link' when it comes to cyber security. This is organization mistake. Effective security means balancing all the different components, not expecting humans always to bend to meet the technology. More importantly, the organization can't function without people, so staff should be supported so they can get their job done as effectively and securely as possible.

Security and leadership need to make the most of what people’s behavior is telling them. Whilst technical monitoring can look for anomalies, people can act as an early-warning system and intuitively spot something that looks unusual. Ensuring staff know who to report any concerns to can save the organization a huge amount of time and money in the long run. If staff are working around a set procedure, this may highlight a  particular policy or process that needs reviewing.

Developing a 'just culture' [1] will enable the organization to have the best interaction with staff about cyber security. Staff are encouraged to speak up and report concerns, appropriate action is taken and nobody seeks to assign blame. This allows staff to focus on bringing the most benefit to the organization rather than focusing on protecting themselves.

The following questions can be used to generate productive discussions with your technical team. The aim is to identify what constitutes 'good' cyber security in terms of developing a positive cyber security culture.

You might do this by:

• Ensuring staff feel empowered, and have a suitable mechanism to raise security concerns, at any level in the organization.

• Engaging with and respecting security decisions and working with decision makers to highlight ineffective policies.

• Taking responsibility for your own role in cyber security by recognizing the risk you pose as a likely target for attackers and acting accordingly.

• Speaking openly and positively to staff about why cyber security is important to the organization.

Some signs that an organization has a good approach would be:

• Staff know how to report any concerns or suspicious activity, and feel empowered to do so.

• Staff don't fear reprisals when they report concerns or incidents.

• Staff feel able to question processes in a constructive manner.

• Staff input is demonstrably used to shape security policy.

• Staff understand the importance of cyber security measures and what it means for the organization.

This can vary hugely depending on the size of your organization. Some examples we have seen include:

• Properly resourced staff awareness

• Ensuring that staff input is included when creating new policies or system designs.

• Sharing security metrics which focus on success rather than failure (for example, how many people identified phishing emails rather than how many people clicked on them).

• Support from senior leadership on the importance of security.

[1] "A just culture is a culture of trust, learning and accountability. A just culture is particularly important when an incident has occurred, when something has gone wrong. How do you respond to the people involved? How do you minimise the negative impact and maximise learning?” – Sidney Dekker