A toxic cybersecurity culture affects team turnover, productivity, and morale. Worse yet, it places enterprise systems and data at risk.In a toxic cybersecurity culture, everybody believes that cybersecurity is somebody else’s job, says Keri Pearlson, executive director for Cybersecurity at MIT Sloan (CAMS), a research consortium focusing on cybersecurity leadership and governance issues. “They don’t see any value in making efforts that help keep the organization secure.”Here’s how to know whether your cyber culture needs revamping and how to get your organization on the right track. When teams treat security as a compliance checkbox rather than a strategic priority, your cybersecurity culture is in sure need of a turnaround, says Rob T. Lee, chief of research and head of faculty at SANS Institute, a cybersecurity training firm. “In such environments, organizations often rush to deploy or purchase technology without proper review or implementing robust access controls.”Instead of simply labeling a security team as toxic, Chris Reffkin, chief security and risk officer at cybersecurity services firm Fortra, believes that leaders should dig deeper to assess whether the organization actually prioritizes security or simply passes the buck when mistakes occur. “Warning signs include being quick to punish issues, such as poor phishing training performance or accidental misconfigurations that result in a security event,” he says.The rot typically starts at the top when leadership fails to prioritize cybersecurity or take personal responsibility for ensuring the organization recognizes the importance of everyone doing their part, Pearlson says. Individuals keep failing phishing tests, share passwords with one another as well as with vendors and others outside the organization, among other habitual security mistakes. “They don’t know, or disregard, policies and guide rails put in place to drive cybersecure behaviors.”Contrary to a popular cybersecurity maxim, believing that people are the weakest link in the security chain is often an early sign of a toxic security culture, says Wolfgang Goerlich, a faculty member at Boston-based cybersecurity research and advisory firm IANS Research. “When a blame-first mentality creeps into conversations and manifests in decisions, you know the culture is heading in the wrong direction,” he observes.Other signs to look for, Goerlich advises, are employees hiding mistakes to avoid repercussions, engaging in public shaming, and shifting toward shadow IT and shadow security to avoid the cybersecurity team.Punishment, if necessary, should be fair and appropriate to the mistake’s severity, says Dan Glass, CISO at IT services firm NTT DATA North America. “If employees fear repercussions for making mistakes, they’re less likely to report incidents or vulnerabilities, which may lead to unaddressed security gaps and a general lack of transparency.”A security team that fears making mistakes will likely, over time, generate a negative business impact. “The lack of a security-first culture will prevent or minimize the willingness of employees to raise issues that pose risks to the organization,” Reffkin warns. Additionally, poor governance will foster a culture that lacks basic risk awareness and a willingness to address risks without fear of reprisal.
Corrective steps for a stronger security culture
CISOs must set the tone at top, making it widely known that they’re ready to collaborate on security issues and concerns with the entire employee community, IANS Research’s Goerlich says. “This means consistently finding ways to improve usability, minimizing friction, and delivering both the sense of security and robust technical protections.”CISOs should put their sneakers on and start walking the hallways, Fortra’s Reffkin advises. “They should spend time with senior leadership to discuss their perceptions of security, present the risks facing the organization, and discuss how security enables the business, and offer specific support to the business units.”If a CISO doesn’t work toward becoming a valuable member of the extended senior leadership team, it can lead to a misalignment between enterprise direction and security strategy, NTT DATA’s Glass warns. “Creating a blame culture can be particularly detrimental to cybersecurity efforts.”A cyber culture is something that should be effectively reinforced by all C-level executives, not just the CISO. The CISO can lead by example, reward good behaviors, make heroes out of people who do the right things, create friendly competition between groups to softly discourage bad behaviors, and deploy other motivators to build beliefs that drive effective cybersecure behavior, Pearlson says. “Yet the best thing they can do is to help their C-level colleagues make cyber their personal priority, so everyone sees that the company leaders are aligned.”CISOs must encourage openness, security awareness, and learning across the organization and avoid using fear of consequences to enforce compliance, Glass says. “A solid awareness campaign that clearly explains the ‘why’ behind some of the more Draconian security measures will lead to a better understanding of how each employee has a part to play in the shared success of the company’s security.”
Gathering support across the enterprise
CISOs shouldn’t tackle security culture in a vacuum. “Collaborate with human resources, employee engagement, and create a cross-functional team,” Goerlich advises. This approach works best when it’s positioned within, and aligned with, the broader organizational culture. In healthcare, for example, tying cybersecurity to patient health and safety, or combining cybersecurity with manufacturing’s safety culture, can lead to both stronger security as well as secondary benefits.Every C-level executive has a role to play in supporting a strong cybersecurity culture. When they make cybersecurity their personal priority by talking about it, doing what they can to reward team members who do the right things, and taking a personal interest in learning more about what team members can do, they send a message that reinforces the importance of a healthy cybersecurity culture, Pearlson explains.The entire enterprise’s senior leadership should actively participate in promoting a robust cybersecurity culture. “Collaborative messages from the CISO and other senior leaders can transform an otherwise disregarded message into an organizational priority that demands attention from everyone,” Glass says. “Additionally, utilizing all available internal communication channels can effectively spread the cybersecurity message to other platforms that may have higher engagement rates, as well as reach key decision-makers within the organization.”Cybersecurity culture transformation is challenging and requires an ongoing effort, Lee says. “It’s crucial to maintain a commitment to continual learning, fostering a shared understanding of how security impacts employees, customers, and the organization as a whole,” he explains. “By empowering employees and engaging them as active participants in security, enterprises can build a resilient culture that evolves alongside the threat landscape.”
Continuous improvement is the key
A great way to ensure that a toxic culture doesn’t appear or, worse yet, persist, is to build effective organizational security controls, Glass says.”These controls should be transparent to regular users, and self-service options should be widely available,” he states. “Implementing a well-executed zero-trust security strategy with invisible device security, single sign-on for all applications, and user-friendly, phish-proof authentication tokens, can significantly reduce friction in daily security interactions.”Ensuring a healthy cybersecurity culture is a continuous improvement exercise. “There will always be new employees and departing employees that will affect the culture,” Reffkin says. “An ongoing program will be required to help manage the recurrence of prior poor behaviors.””We need everyone to be on board, it’s a war, not just an attack vector,” Pearlson warns. A strong cybersecurity culture is the logical place to start. “Our best chance of winning is having an aligned, motivated, and innovative employee base that’s watching out for abnormal things that might indicate a cyberattack.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3618146/how-to-turn-around-a-toxic-cybersecurity-culture.html
