How to build a strong Cyber Security culture in a crisis
It is difficult to talk about any aspect of business without mentioning the C-word. But, while COVID-19 is the driving force behind our new world of work, it is another C-word – “culture” – that we need to pay close attention to. After all, if organisations want to navigate and exit the global pandemic stronger, then they need to build a stronger security posture and culture through gaining employees’ trust. After all, they are our first line of defence.
So how do we, as security professionals and policymakers, contribute to more effective and resilient strategies, when our office workers are no longer always in the office?
In July, Telstra Purple held a virtual public/private sector roundtable in conjunction with the Australia-UK Chambers of Commerce. We debated the question of resilience and examined the role that each of us needs to take in creating safer workplaces under lockdown. As the largest Australian-owned technology services business, we have a unique perspective from both UK and Down Under, and identified many similarities and consensus across both regions. Joining me on the panel were a stellar group of experts:
● Dr Tobias Feakin, Australian Ambassador for Cyber Affairs, Department of Foreign Affairs and Trade
● Ciaran Martin, CEO, National Cyber Security Centre in the UK
● Dr Jessica Barker, CEO of Cygenta and Chair of ClubCISO, a community of global CISOs powered by Telstra Purple
While the roundtable was held under Chatham House Rule to ensure more open conversations, I want to highlight three of the important conclusions we landed on:
1) We have new risks, but there aren’t new rules
There is no doubt that COVID-19 has created challenges for cyber security; with adversaries using it as a means of spreading misinformation, stepping up attacks across multiple sectors and targeting vulnerable organisations that have rapidly transitioned to remote working.
We also agreed that COVID-19 has created greater awareness around the importance of secure systems. This is partly because we are all using more cloud-based data and services along with virtual customer and stakeholder interactions. Whether we meant it or not, organisations have been forced into digital transformation and remote working, which has brought cyber security to the fore.
All this means that we are working differently and outside of the traditional four walls of the business. Throw into the mix the ongoing rise of sophisticated state-based actors and malicious social engineering, and we have to make security an absolute priority.
But, importantly, that doesn’t mean we need new rules and more regulations. In recent years, governments and policymakers have rightly put heightened focus and priority on the cyber security agenda.
During the debate, we all agreed the best approach to create safer and more secure workplaces is to share best practice examples and empower organisations, but more importantly empowering individuals. It’s all about creating fit-for-purpose behaviours and informed risk-based decision making. It’s not about a heavy-handed enforcement of rules.
2) Good security = good communications
Risk is a funny thing. As human beings, we are hard-wired to understand that risk exists. We look both ways as we cross the road, probably without even thinking about it.
What we are not very good at is quantifying risk: just how dangerous are our actions and just how much risk are we willing to take?
In the cyber security industry, part of the solution is about education, but a greater issue is the language we use and the way we communicate cyber risk.
Take COVID-19 itself, for example. It’s unlikely that the general public outside of the medical profession could really quantify the risk of the situation until we had a common language and measurement – the “R” rate for infections. The ”R” is a classic example of a Key Performance Indicator, where we can quantify risk and adjust our actions without knowing the exact mechanism by which the experts come to the number.
In cyber security, we need to find a similar KPI for risk so everyone from the CEO to the most junior employee is aware of the risk situation and takes the appropriate action. Or, at least, is more aware of the easy ways that hackers, malware and social engineers can use them to attack their organisation.
For this to happen, cyber security should not be siloed or seen as a peripheral function. It should be integral to an organisation’s success. Some organisations have introduced cyber champions who are not technical professionals, but an approachable team member who can drive broader organisational engagement and who colleagues can call on for informal advice.
Several attendees also stressed the importance of having board-level buy-in to create a culture that centralises and embeds positive cyber practices across an organisation. And many of us noted the challenges CISOs have in quantifying and communicating cyber risk to the board level. There is a real need for a common, simple security language and system of measurement that can be widely understood and appreciated by all.
3) Culture will always eat security strategy for lunch
Yep, it’s an old phrase, but with a new twist. We have all put lots of emphasis on building resilient and fit-for-purpose security strategies, but we are coming to realise that they are only as good as the day-to-day practices that grow within the organisation. Good practices and engaged people deliver positive outcomes; bad practices and a disengaged workforce deliver more risk.
The panelists spoke at length about the growing recognition of the importance of security culture – the set of principles, norms and behaviours that informally govern how an organisation can approach cyber security.
But how do you build a great security culture and what does it really look like?
One participant noted that the bedrock is to empower people to raise queries and flag issues comfortably, enabling a swift response to incidents or threats. A culture of blame leads to a lack of transparency and therefore exacerbates the risks to organisational security.
On this topic, our recent ClubCISO member survey showed that 51% of CISOs say they have no blame culture in their organisations. But that means 49% still have one. That has to change.
As one panelist said, a paradigm shift is needed; businesses should see security as an enabler not a blocker. Organisations should not let regulatory frameworks stifle a creative approach to security solutions. Cyber security is an essential way to help businesses thrive and build long-term resilience, but measures should be implemented in a way that is always complementary to the existing organisational culture.
And in the same way that organisations should build transparency and empower their staff to better understand cyber risk, governments must also create awareness and build trust across society towards applications and the use of their data. Building awareness must also be balanced with avoiding an increase in societal anxiety over cyber threats.
So what do we need to do next?
My personal view is that all good things come from trust. Trust is the new currency of business, and in security this is more than implementing a “zero trust” operation model. Trust is about people, awareness, education, culture and a unified approach and language that we as consultants, governments, security professionals and technology companies all support.
I want to take this opportunity to thank Jess, Ciaran and Tobias for their expert insight and open discussion. I also want to invite any of you out there to talk to me directly about your thoughts on the subject. Together we can further the conversation and find new, powerful ways to create security best practice under lockdown and beyond.
