Changing Security Culture for Changed Times

Now that the dust has settled on the technical aspect of setting up secure remote work for organizations, information security executives are returning to what is perhaps their oldest and most enduring adversary — human nature.

On a human level, remote-working employees and third parties are coping with more distractions than usual while they integrate work, life and consider the uncertainty of the future. Establishing a culture of security where all employees have a high level understanding of the risk landscape, and how it can personally impact them, alleviates some of the risk, but that understanding is easier said than done, especially in a remote-work environment.

Human error being the most prevalent cause of breaches is a trend that is unlikely to break, and fostering a culture of security awareness is an ongoing initiative that CISOs are charged with leading. Trends in user behavior are also different now that corporate devices are often used for personal activities, raising the risk of shadow IT inadvertently expanding or users falling victim to COVID-19 phishing attempts.

Security culture needs to be reliant on processes and awareness, not technology. Ongoing education is key to helping employees keep themselves, and the enterprise, safe. Simply put, a strong security culture is perhaps the most scalable solution to improving resiliency. Sharing information across the organization on how cybersecurity affects users on a personal level can help users become more vigilant when clicking links and providing personal information online.

In this environment, providing training and resources for employees on enterprise security threats must be done in a way that meets them where they are, demonstrates value quickly and is both compelling and relatable. The remote working environment and upheaval the country is facing has caused shifts in organizational culture, and communication must be adjusted accordingly to be effective.

Organizations are using various forms of communication, including SharePoint sites, tools like Microsoft Teams, Slack and Zoom. These are popular forms of disseminating information quickly, but were not always traditionally used in security awareness training. Periodic security updates are useful tools to inform on trends and are most easily absorbed when they incorporate real-world and personal examples of the importance of good cyber hygiene. Whether that information is shared via email, training videos or quick instant message to the organization, keeping best practices top-of-mind will help secure the enterprise.

Cybersecurity is often thought of as a team sport among practitioners, as there is a common challenge CISOs face: staving off cyber attacks and educating a workforce that is largely unaware of the threats that exist that can affect them personally and compromise the organization. Collaboration and information sharing between CISOs across industries and companies is an effective way to gather best practices and make adjustments that best reflect the needs and culture of your organization. 

Data collected by Evanta from CISOs in North America last year during the COVID-19 pandemic indicates that security awareness is holding strong one of the top five priorities. Common challenges include not having time or materials to conduct effective awareness training, changing user behavior and the business having strong focuses elsewhere and not supporting those initiatives. Facing such challenges, CISOs must find ways to get creative to produce quick, easily digestible and out-of-the-box training that disseminates the information in a sustainable way. 

Fostering a culture of security requires more than annual training. It requires buy-in from executive leadership, which ties closely to another topic CISOs indicated that is a top priority — measuring and communicating risk. Effective board and executive communication is key to getting resources and support secured to properly share security awareness training across the organization and ensuring buy-in from the top will help establish a true culture of security.

Challenges with enterprise security risks and awareness and gaining buy-in from executive leadership pre-date COVID-19, but in a digital environment, shifts in communication and strategy are necessary to successfully disseminate that information. In a world where people are feeling overwhelmed and inundated with information, thoughtful adjustments to how security awareness training is delivered may be the difference between a reported phishing attempt and a potential breach.