There is a sequence to creating a cybersecure culture, and no, it does not start with training employees

By Rene-Sylvain Bedard, author of SECURE By Design.

Although employee awareness is an important part of creating a SECURE culture, it is not the cornerstone everyone believes.

Where we went wrong

It is all over the surveys; they all point to the user being the weakest link in the security chain. I disagree. It is a symptom, but not the source.

While some social engineering attacks are precisely built to use our weakest psychological traits, it still does not fall on the user.

Who owns the vision, who decides where the ship goes, and who sets goals and priorities for the entire company? CEOs and owners. This is where culture and guidelines must come from. These are top-down operations, rarely the other way around. Having understood this, why believe that by training the bottom of the pyramid we will solve any cultural problem and make cybersecurity a priority?

When you answer this one, I believe you will start agreeing with me.

Read the data, but understand the construct

The survey data only explores the result of a cybersecurity incident. Basically, who clicked on the malware, or inserted the USB key found in the parking lot? And yes, at that level, the end user is the culprit.

To make sense of the data, you must look at the overall construct. How did we get to this situation? 

My 2 cents, a lack of managerial courage.

Before you start sending me some hate mail, please hear me out.

Training the end users has its utility, but by itself, it is mainly a waste of time. It needs to be part of a larger, organisation-wide priority.

When leadership decide their yearly priorities, if cybersecurity is not part of that document, it will not exist.  Business leaders are the role models of employees; they are the ones to emulate, so if management does not care about cybersecurity, why should the staff?

When KPI return the wrong information

If you have any cybersecurity-related KPIs, you are most likely ahead of the curve, as most companies do not measure their cybersecurity at the executive level, hence it is not part of their reality.

Here’s an example: I am standing in front of the management board of a regional authority in healthcare, and I am referring to the numerous cyberattacks that have been fought by their IT team during our audit. They had an average of 10 attacks per week. One of the administrators simply stated: “but we are never under attack, so what are you referring to?”  In short, they had no idea. Information does not magically float back to the top. You need to dig for it.

This type of board isolation happens too frequently. The IT teams are fighting to keep the lights on and ensure that cyberattacks don’t succeed, but management is kept blind.

In this example, the KPIs were all about uptime and quality of service, not showing any data about cybersecurity and incidents.

So here is my question to you leaders, are you even aware of what is happening security-wise, if we take out the number of people that have passed the training?

Here are a few questions that your executives’ KPIs should be answering:

% of identified cybersecurity risks remediated

Has the monthly cybersecurity drill been successful?

% of employees signed the new cybersecurity policy and responsible use of technology agreement

% of executives who have completed their cybersecurity leadership training

Has the cyber-incident recovery plan been reviewed and updated?

Are the emergency funds in case of a cyber-incident sufficient?

How many incidents were detected/remediated last month?

You get the point. There are multiple aspects that must be validated, and that you, as management, should have insight into. Why? Because it directly affects your growth and your bottom line. If you are not secure, then these two things are in danger.

When leaders need to lead

I might have overstated myself earlier. The fact is, before you start training your staff, your leadership must make cybersecurity a priority. Owners and management teams must be aligned on the importance of security and what needs to be protected at all costs. 

Leaders must become beacons and lead the way. They must be inquisitive about cybersecurity and demonstrate its importance everywhere, might it be in objectives, planning and even reviews. It must become part of the culture, and to do so, it must come from the top. You can’t have mixed signals.

To empower your staff, you need leverage, consistency

So, start demonstrating interest, start surveying your business processes, technologies and people to know, where does criticality lie. Where must cybersecurity be applied, and where do you have blind spots today? Once you know and you have surveyed your environment, you will start seeing a map of areas of your business that you can’t live without.

Once you, as the owner, and your management are aligned and have dug enough into your practices, your employees will start noticing that cybersecurity is now important to you.  

At that point, it should be part of your dialogues, part of what is important for your company, why it is critical to maintain a healthy digital hygiene, and why some habits may put the company at risk.

At that point, you start creating a training portfolio that is fully aligned with your corporate objectives. Then it makes sense.

And what’s in it for you, leaders?

Have you ever considered that cybersecurity might be the lever you are missing to unlock those larger accounts that you have been trying to access for years?

This is my hidden gem for you. Those bids that you can’t access because you do not have the proper security compliance could open up. A new market of opportunities, where customers are cyber-aware and will want their new partners to demonstrate their cybersecurity.

I can hear you, sure you would like this 7-figure contract, but where to start...

Start by contacting me. We will help you go through the SECURE method and will enable this for you.

By Sean Tilley, Senior Director Sales of EMEA at 11:11 Systems.
By Asha Palmer, SVP of Compliance Solutions at Skillsoft.
By Barley Laing, the UK Managing Director at Melissa.
International Women in Engineering Day provides an opportunity to celebrate the women driving...
By Irvin Shillingford, Hornetsecurity’s Regional Manager for the UK, Benelux, and Nordic Regions.
By Nicholas Lynch, Principal Consultant at NetSPI.
By David Trossell, CEO and CTO of Bridgeworks.