We are often told that it’s critical to have Cybersecurity Awareness be part of an organization’s culture. I’m convinced it already is. At least in part. We may not be aware but security, risk management and cybersecurity are interwoven into the fabric of society and our people through news, media, podcasts and articles just like this. It's already an accepted and headlines-grabbing part in most organizational cultures.
Security, to be effective, needs to be recognized, nurtured and developed into ongoing, job-embedded reality. Something that happens automatically. Keeping security top of mind every single time we get online.
The Mavericks
It's about what we calltraining the mavericks.The mavericks are the ones we all know. The ones who drive new business, who don't focus on competitors as the competitors arefocused on theminstead. They are the ones who drive things and the people we cannot ignore. We can dislike them, follow them, glorify or vilify them but one things we cannot do is ignore them. They are the reason the organization moves. Mavericks push the organization forward. In fact, they push the human race forward.
In our role, we are are fortunate enough to regularly speak with mavericks in every field and industry. They are the managing partners and administrators of law firms, politicians with purpose and ethics (rare but they exist), medical personnel on the front lines as well as in administration leadership, school superintendents, CEOs, CMO, CIOs, CISOs.
Since mavericks influence behavior, it's key to get them to develop and socialize the fact they themselves value brand protection. A Secure culture is one that happens automatically and unconsciously. Periodic training only occurs as reinforcement of cultural norms.
Your Brand
You have a brand, right?
Yes, you do. And the organization we work for or create as well as the families we belong to all have one. Every single person and organization has one. Whether they are aware of it, nurture and develop it is a different discussion.
For organizations, these brands are targeted daily and the risks are clearly overlooked or treated dismissively. To build a strong healthy brand it’s taken years, several iterations, business plans, quarterly and annual reports, investors and countless resource hours to build that brand. The brand has a reputation. That reputation is cared for and protected through public releases, community involvement, non-profit work, company sports teams, sponsorship and the like.
All of those create a culture that involves protecting the organization’s brand. Nobody wants to risk complete destruction of a brand through liability, class-action lawsuits, shareholder suits or other litigation. And yet relative very little time and resources are spent to protect the brand from the most destructive and fastest path to complete brand annihilation: a cybersecurity breach.
Those safety policies, procedures and governance are integrated into the culture-just like cybersecurity best practices. So in part, cybersecurity is already started in most organizational cultures, since safety and risk management is already integrated. It just needs to be expanded and the proper funding and time and energy placed into it.
Defining Culture
While definitions vary, culture is more than foosball tables and free food. It’s loosely defined by leaders like Simon Sinek as a common set of morals, beliefs and practices. Culture is set forth from leadership and adopted by the rest of the organization. It's influence clearly by the mavericks as well.
Examples of an organization’s culture can include many things like work-from-home policies, Thursday collaboration days, weekly meetings, key benefits, sponsored sports leagues, weekend events and policies in place to instill a sense of belonging, caring and nurturing for the employees and their families.
It’s what keeps people from leaving just because another place is new, shiny or offers a bit more cash.
Cybersecurity as Cultural
How can something generally seen as hyper-technical (for the IT team) supposed to be part of all employees’ culture. To understand, we simply have to ask ‘why’ cybersecurity matters.
Cybersecurity goes to the heart of your organization. Everything that makes you personally or professionally unique (your health, financials, family; organization's financials, intellectual property etc) has data tied to it. The reason securing your data is important is this: everything that makes you and your organization unique and special is under attack. Every. Single. Day. Your data, your personal data, and your professional data is being targeted.
Culture is what matters. Cybersecurity is what protects what matters. They are interwoven into the fabric of one another regardless of whether your organization realizes it or not.
Mindset Stages Driving Behavior
There are four stages of competence, also known as the four stages of learning. Trainingindustry.com and thousands of others have set forththe model.
Stage 1: Unconscious Incompetence
Stage 2: Conscious Incompetence
Stage 3: Conscious Competence
Stage 4: Unconscious Competence
It's a model based on the premise that before a learning experience begins, learners are unaware of what or how much they know (unconscious incompetence). As they learn they move through four psychological states until they reach a stage ofunconscious competence.
Stage 4 is where the magic happens.
What Cultural Cybersecurity looks like
The weakest link is the unaware employee. No matter how much an organization spends on IT systems and IT staff, an untrained and unaware employee who inadvertently clicks wrong will cause a data breach. We like to call her “Mrs. Buttermaker”. She’s my figurative or imaginary employee who is well-educated, smart, funny and a great employee. In fact, in many organizations she is one of the mavericks. Yet she is theproximate causefor the single worst event that happens-a catastrophic data breach that destroys the company.
All in one click. One Minute, from her second-floor cubicle or office.
A data breach will have devastating and crippling effect to your organization and affect every layer from top to bottom. We are not paid by our organizations. We are ultimately, and in reality, paid by our customers money. They are only customers because mavericks have demonstrated thatwe can be trusted. Trusted with private things like payment information, intellectual property, employee and healthcare private data.
The statistics are overwhelming and exacerbate daily. See any of our other articles for that data.
A Breach Destroys A Brand
Why do we say a breach can destroy a brand? Because the reality is simple: it does. People don’t want to do business with an organization that loses their stuff (private info, IP, trade secrets, strategic plans, personal life info, communications, financials etc
A recent example was on February 11, 2019, VFEmail’s brand seems to have been destroyed. Their logo and tagline says “making email safe for the masses”. And yet a data breach took down their entire site and wiped clean all the masses’ emails and personal information and private communications, attachments etc. contained therein. Brand is gone in many people’s eyes. Trust is lost. Destroyed.
So, if the weakest link is a lack of awareness of cybersecurity best practices, making it part of the culture is a logical step and one that can be widespread and is proven effective. When my team gets involved, we see data breach scenarios go from 40%+ down to less than 1%. That’s significant and long-term.
Since cultural cybersecurity awareness and best practices is not something that comes in a box and can be shown in a glass case, some have trouble seeing it.
So what can it look like?
It’s irrelevant how much money is spent on IT network systems, firewalls etc or on IT staff salaries and contracted IT services. When Mrs. Buttermaker in the 3rd-floor cubicle doesn’t have anunconscious, automatic awareness,she will fail. As will all of our mavericks.
Having it change behavior occurs when we reach that level about Phishing emails, spear Phishing and social engineering. Until then the breach is going to happen.
An inadequately trained maverick or employee, at any pay level or position, is a clear and present danger to your entire organization.
When done right it’s an integrated part of the culture. Just like safety signs, tracking how many days it’s been since the last accident, cybersecurity awareness needs to be discussed and revisited regularly.
IT security must be treated as a shared experience. It’s a daily due diligence every employee must understand.
Practices must be Best Practices implemented in a customized way to fit your culture and become an integral part of your culture.
When integrated it’s job-embedded and ongoing. There’s a common sense awareness that is raised and the armor around the brand is strengthened.
Set Cybersecurity Priorities-Ask for Help
Cybersecurity is not the responsibility of the CIO. It’s the responsibility of the C-Suite. Tope leadership own, founded or manage the brand. When a breach destroys the trust customers have in the organization then the brand is irreparably harmed. That accountability does not solely fall into the lap of the top tech person. Sure they may have the team to manage systems and infrastructure but it’s the executive leaders who set funding, prioities and place security top of mind into the culture.
Those who run the culture of an organization actually own the responsibility for cybersecurity.
If you don’t know what steps to take, or which priorities to set this year, then simply get help. Contact your IT advisor or get an independent holistic perspective on your state of risk from our team at All Covered-Konica Minolta, a Top 10 rated Cybersecurity Firm globally, located right here in the US.
Those safety policies, procedures and governance are integrated into the culture-just like cybersecurity best practices. So in part, cybersecurity is already started in most organizational cultures, since safety and risk management is already integrated. It just needs to be expanded and the proper funding and time and energy placed into it.
