How to Build a Cybersecurity Culture 

Ransomware headlines and sobering statistics can create a grim outlook for today’s enterprises. And the rise in remote work has only ramped up the efforts of bad actors and ransomware groups. But the faster organizations can acknowledge the new norm of increasing attacks and sinister techniques, the sooner they can develop a strong cybersecurity culture where employees are aware of the dangers and ready to respond.  

To err is human (and costly)

Human beings are historically the weakest point of defense against cybersecurity threats, often unwittingly causing catastrophic damage. In fact, human error accounts for nearly 90% of all data breaches (yes, you read that right) according to a Stanford study. While this statistic many not surprise some, what is shocking is the severe lack of effective training and education to help curb this problem. 

A 2021 survey conducted by TalentLMS asked 1,200 employees about their cybersecurity knowledge, habits, and quizzed them on their ability to spot cyber threats. Of the 69% that reported to having received cybersecurity training, 61% failed a simple 7-question security quiz. And as if these findings weren’t dismal enough, 60% of those who flunked said they felt safe from threats.  

Disconcerting, to say the least.  

Cybersecurity isn’t just for Security or IT—it’s for everyone

The idea of company culture often brings to mind foosball tables and casual Fridays. However, more intrinsic values and shared beliefs inform the general thrust of a company’s culture (employee-centric, horizontal structure, progressive values, etc.). These core values can inform employee attitudes, behaviors, and overall company success. Cybersecurity culture is a different flavor of this idea and can influence employee behaviors such as creating strong passwords and updating devices or applications when prompted. In other words, successful efforts to build a cybersecurity culture result in people across the organization taking ownership of the mission to protect the enterprise, its customers and its brand. 

Maintaining the health of an organization’s security has traditionally fallen to the Security department. IT has worked alongside Security to ensure vulnerabilities are patched and software updates installed. The broader employee base is begrudgingly roped in for painful annual training pushes. However, this episodic, outdated effort to keep workers apprised of best cybersecurity practices has proven ineffective, resulting in widespread lack of awareness and cybersecurity knowledge. More and more, businesses are redefining their approach and charging all employees to be stewards of their organization’s cybersecurity.  

Building a strong cybersecurity culture with simplified security

Recent emphasis on simplifying is ushering in new opportunities for companies to establish themselves as more cyber-savvy than ever before. Here are five key ways organizations can take the initial steps towards a protected and resilient cybersecurity culture. 

1. Get leadership on board. Convincing senior roles or C-suite members to hear and understand your argument for establishing a stronger sense of shared cybersecurity responsibility will help drive visibility, importance, and urgency. This effort is too critical to get lost in the shuffle of periodic requests and routine rejections. Find allies who can speak to the importance of cybersecurity culture and lay out exactly why it’s so business critical.Making your case to leadership is more successful when it’s translated into risk. For example, companies face up to an average loss of $1.85 million when hit with a ransomware attack; that’s an all-in average for ransom payment, loss of productivity, man hours to get back up and running again, legal fees, etc. However, for many companies the cost is much higher.  

1. Embrace democratized security. As environments grow more complex and intricate and attacks increase in sophistication, the need for simple, user-friendly security solutions is at an all-time high. Intuitive tools help disband security gatekeepers and invite even non-IT people to participate, creating a cadre of defenders across the organization. Cisco recognized this need when they made the pivotal move to acquire Kenna Security, working to bring data-driven and predictive risk-based vulnerability management technology into Cisco’s robust threat management solution, SecureX. Industry-defining solutions like this will help democratize security and invite more people to rally around more persistently robust cybersecurity hygiene. (Some organizations also use intuitive risk scores to set up healthy competition between remediation teams, perpetuating the risk reduction culture even further.) 

1. Ramp up your internal communication. Creating ongoing conversations and consistent messaging around a cybersecurity culture to help build awareness and investment. Recruit your marketing or communications team to help and work together to build engaging messages that will resonate company wide. Aim for concise, relevant, and interesting talking points. Make sure these messages matter to people who work in areas other than Security and IT.  And keep with it. Periodic or inconsistent pushes will cause interest to wain and fall off. Instead, establish a steady drumbeat of internal communication and test certain approaches to ensure people are staying engaged. Town halls, newsletter features, emails, and company chat channels are some avenues people take to keep the conversation alive. Sending mock phishing messages also keeps workers on their toes. 

1. Emphasize positivity (not punishment). Cybersecurity trainings are not typically synonymous with fun, but more companies are taking a lighthearted and engaging approach to cybersecurity training, which can include live debates and discussions and bringing training experts in to host hands-on educational sessions. The gamification of good security behaviors is growing in popularity and can include a rewards system based on top performer recognition, coveted prizes, pizza parties, and more.  No part of this approach should include punishment or admonishment of any kind. That’s probably the fastest way to lose support and enthusiasm for the greater cause. For more on this idea, read how Yahoo redefined their cybersecurity culture with the help of MIT researchers.  

1. Develop a CISO succession plan. CISO roles might be popping up across industries, but these positions have a notoriously high turnover. With an average tenure of two years, CISO transitions are a common occurrence at any company. To help prevent any disruptions in cultural flow or flavor, it’s key to outline a succession plan. New CISOs often arrive with different priorities, preferred tools, or alternative approaches to solving security problems. This could seriously jeopardize all your teams have worked to establish. Creating a game plan not only promotes a smooth transition, but it helps maintain priorities and shared values.   

There’s never a “too soon,” but there is a “too late”

Building a cybersecurity culture isn’t reserved for Fortune 500 or highly targeted industries. Ransomware and other attacks don’t discriminate; they target enterprise, SMB, healthcare, finance, entertainment, manufacturing, the list goes on. Investing time and energy into weaving in positive cybersecurity behavior and beliefs will only help limit attacker opportunities.  

Bad actors aren’t waiting. Why should you?  

To learn more about simplifying your security and rallying your company around risk, watch Cisco SecureX + Kenna Security: Bringing Simplicity to You now.