Building a Cybersecurity Culture
Cybersecurity is an ecosystem of skills, experience, backgrounds and perspectives. According to Cybersecurity Ventures, “Over the eight-year period tracked, the number of unfilled cybersecurity jobs is expected to grow by 350 percent, from one million positions in 2013 to 3.5 million in 2021. And of the candidates who are applying for these positions, fewer than one in four are even qualified, according to the MIT Technology Review.” The last few years have taught us many things, but most of all, it has taught us how much our society depends on technology.
As a result, cybersecurity has become one of the most fast-paced and in-demand industries over the past year. And with greater demand comes greater responsibility. This blog will explore why redefining cybersecurity careers can benefit the industry’s future and what makes IT professionals vital within every organization.
Cybersecurity Culture is essential to organizational resilience to reduce the risk associated with human error. Human error is considered the number one reason for data breaches. Yet as aircrash investigation veteran Sidney Dekker writes in his book, The Field Guide to Understanding Human Error, “when we blame the people, we miss the chance to learn.”
Thus, cybersecurity culture needs to be a part of a broader corporate culture of daily actions encouraging employees to make mindful decisions that align with security policies, industry obligations and commitments made to customers. This involves breaking misconceptions about cyber attacks, providing business context (the why it matters), and offering the skills to identify threats and report them.
For example, the COM-B model is the bedrock of behavioral change. The model proposes that all three components (COM) are required to drive B, behavioral change:
- Capabilities: Can the desired behavior be accomplished?
- Opportunity: Is there sufficient opportunity for the behavior to occur?
- Motivation: Is there sufficient motivation for the behavior to occur?
The COM-B model is applied in critical industries like trauma medicine and is designed to push employees to automated, reflective response when facing a stressful situation, rather than panic or ignore the evidence.
By teaching and implementing proper precautionary actions like understanding the benefits of using a password manager and dispelling existing myths around password manager security and ease of use could help employees understand the role they play in protecting themselves and your organization’s security.
IT Professionals Lead the Way
As cybercrime rises and the threat landscape continues to shift like dunes in desert and the responsibily to adapt often falls on IT professionals. However, all employees must adapt to this changing landscape and remain vigilant. One of the best ways for an organization to mitigate cybercrime and risk is to build a culture of cybersecurity.
Far too many business leaders fail to understand the risks posed by cyber threats, and it falls to the IT professions to build a business case and convince the non-technical stakeholders of the need in addition to securing resourcing and implement programs.
When it comes to buildng the case for a security culture, technical leaders must shift the conversation from the “ones and zeroes” of IT security to the “dollars and cents” of Finance leadership, or the “nuts and bolts” of Operations. A security culture should be measured in terms of business benefits and not simply the number of trained employees.
Proactive Cybersecurity Approaches
Many IT departments work with third-party companies to implement a Proactive Defense Program. This benefit is that IT professionals can put their efforts towards other duties needed within their organization and foster a security culture. A security culture is more than just awareness. It requires employees to learn from IT professionals what security risk entails and the process to avoid it. It is building and enforcing operating processes of tasks that keep an organization safe.
A Proactive Defense Program is a fully managed security awareness training and testing service designed to reduce the risk posed by the human component. It empowers employees with the knowledge and skills to identify and report suspicious activity using real-life de-weaponized attack campaigns. All results are tracked through a Managed Detection and Response Platform. This allows IT professionals to view every employee’s analytics, program reports, and performance.
The type of culture that IT professionals build directly impacts every organization’s success. If security is not a part of every department, it will likely fail. IT professionals already carry the heavy weight of ensuring an organization is secure, so why not hold every employee accountable for their actions?
Investing in IT Security Professionals
If we are going to have a chance at changing the narrative and creating thriving cybersecurity careers, companies need to invest in their employees. Here are a few tips to consider:
Seek Partnerships: : Partner with community organizations, high schools, and non-profit businesses to bring IT programs to minority students and individuals seeking to learn more about the industry. This will create access to resources that offer support and industry knowledge to diverse candidates as they prepare to enter the cybersecurity field at different stages. Providing resources to those who might not have direct access is a prominent way to expand an IT professional’s experiences and skillsets.
Offer Training Programs: Invest in programs that update your employees on the latest cybersecurity skills, threats, and tools. Offering certificate programs or other incentives for completed trainings will encourage them to participate.
Review Job Descriptions: When writing job descriptions, really consider what skill sets are needed for a professional to thrive in the role entirely. Setting realistic expectations for different job levels is the best way to ensure that opportunities are available to rookies and vets, regardless of background or experience.
Measure What Matters to Cybersecurity
When it comes to demonstrating the value of Cybersecurity culture, it’s about measuring behavioral change and business-impacting outcomes, rather than the traditional focus on learning metrics. According the Kirkpatrick Model of Leveraging and Vallidating Talent Inverstments, there are four level:
Level 1: Reaction
- Subjective feedback forms (“smiley sheets”) to assess learner engagement, instructor performance and content usability or format.
- Passive metrics collected from online learning systems
Level 2: Learning
- OPEN/CLICK rates measure detection based on Inbox preview data
- SURRENDER rates measure user credentials given over
- LEARNING metrics (% or # trained and pass/fail metrics)
Level 3: Behavior
- REPORT rates measure number of suspicious lures reported using mechanism
- ENGAGEMENT rates measure subsequent communications with Security team
- POLICY/COMPLIANCE rate measures number of policy violations
Level 4: Outcomes
- Losses to fraudulent financial transfers
- Losses based on cyberattacks or Data breach costs
- Operation savings based on optimizations or reduced workload
When it comes to reporting, focus on the top two levels. The first two are interesting but are poor proxies for outcomes. Understanding the business impact will motive the C suite and thus create a continuous cycle of security culture from the top.
Accessibility and education are vital pieces of the puzzle to consider when creating a more inclusive industry of high-functioning IT professionals. While the three tips above are not a complete solution, they are a great place to start. Remember, the most significant change begins internally, and once the groundwork is laid, the external results reflect the process. To change the narrative, we all must change ourselves, thoughts, ideas, and perceptions and think of the bigger picture. After all, baby steps are still steps.