March 28, 2022
Cyber security trends in 2022 - How internal culture plays a critical role in strengthening your security posture
Almost every business will agree that building and maintaining a healthy culture, within all areas of the organisation, is important, and central to that is putting your people at the heart of any structures and policies. When it comes to a businesses’ cyber security posture there is an almost universal tendency to focus almost exclusively on the tools and technologies, overlooking one of the most critical aspects – the needs of people and how they really operate within the business.

Failure to address the needs of employees, in the longer term, rarely results in success. If a security control or policy makes it hard for someone to do their job, they will quickly find ways to sidestep the control. Without a strong security culture, employees won’t engage with your security teams, leading to unofficial, undocumented, ways of working and a decreased security posture overall.

How can you build a security culture in your business?

The foundation of a strong security culture is trust. If you demonstrate to your staff that you trust them to report security concerns in a timely manner, and they trust that you will use that information in a positive way, then you have the makings of a great culture.

Create a culture of accountability, not blame

One of the first stumbling blocks faced by a business working to create a strong culture of security is a failure to move away from blame. Blame is almost always counter-productive, it rarely solves a problem and worse, it leads to people failing to report incidents.

Moving away from blame does not mean that people are not accountable for their actions, but instead gives them a chance to learn and grow. Allowing people the opportunity to own their mistakes and take responsibility, and involving them in any work carried out to resolve the issue, leads to drastically reduced chances of recurrence.

Showing employees that all incidents, no matter their cause, will be reviewed fairly will demonstrate trust, and lead to both development opportunities and an increased willingness to report incidents in the future.

The key takeaway here is that mistakes should not be stigmatised, and individuals or teams should not be singled out for blame. Any security incident should be seen as both a wider failure of controls across the business and, most importantly, an opportunity for improvement for both the individuals involved and the wider business.

Introduce a transparent reporting structure

There are some things within a business that need to be identified and reported due to regulatory requirements or legal concerns, and while this is undeniably important, it shouldn’t be where your reporting responsibilities end.

People should feel empowered to report anything related to security within the business, and be involved in any actions taken after a report. There are a few key steps that can be taken to help build this confidence in your staff:

  • Make reporting easy – The process should be straight forward and well documented.
  • Make reporting voluntary – People should see the value in their input to the wider organisation and its improvement.
  • Make reporting anonymous – People should know that their identity will be kept confidential, and all information reported handled in a sensitive manner.
  • Make reporting transparent – Always ensure that the reporting person is kept up to date on actions taken as a result of their report, and the outcomes of any investigation.

As you demonstrate that you will handle all reports sensitively and build confidence in your staff, they will be more willing to discuss long standing issues such as workarounds that are in place due to policies or controls that are inadequate or outdated; and this information is just as valuable as a report of an active incident. Everyone within your organisation should know this, and always be comfortable reporting concerns, and reporting them early

What does good look like?

It can be hard to measure what good looks like when it comes to culture, as every organisation will be different, however there are a few key indicators that things are going well.

As a leader, whether that’s at a team level or a board member you should always ensure that:

  • Any staff you are responsible for feel empowered to report concerns, at any level, without fear of reprisal.
  • Ensure that all employees have access to, and engage with, appropriate security awareness training material which will enable them to proactively identify and raise any potential issues.
  • You take responsibility for your own role in cyber security and acknowledge areas where you also introduce risk to the organisation.
  • You lead by example, both by reporting concerns yourself and talking openly and positively about the cyber security framework in place and your role within it.
  • The most successful organisations that deploy these practices have reviews by experts to ‘keep them honest’. Culture is what people practice and feel, not a policy document, and so testing reactions with exercises can be crucial to real progress.

Secure Impact has helped many clients transition from a low level of cyber security culture maturity to business wide engagement, and can share more of the common mistakes with you from watching many businesses make these transitions.

If you have any questions about this article, or would like to discuss your internal security culture, please contact Simon McNamee.

Sign up to our newsletter to receive the latest updates