There are organizations that have no cyber security culture.
Others that have a cyber security culture that consists entirely of an annual
video for all employees. If the successful practice of cyber
security relies on the corresponding ownership of secure practices throughout
the company, real security awareness involves cultural change.
A cyber security team will never be large enough to accomplish
the task themselves.
So you, as a cyber security leader, are starting from
nothing. You’ll need a plan to get your organization from where they are today
to where you want them to be.
Prepare For The Long
Game: Unless the goal of your security awareness program is just to get
more people to watch the annual video, you’ll need to set expectations with
your executives, your team, and yourself that this problem won’t be solved in a
quarter or in a year. You’ll need to commit for the long term.
Share Consciousness:
Sharing consciousness is the one tool that you will have to work with
initially. You may not have anything else due to resource timing. Find ways to inject security topics into every conversation, huddle,
and meeting. You’ll know that you are doing it right when people know that you
are about to talk about security right before you actually begin to speak.
Open Minds Through Focused
News: Employees often have assumptions about malware and malicious attacks.
This could be anything from “we are too small for attackers to notice” to “APIs
don’t need authentication” to “organizations don’t get wrecked because of test
servers.” Open a channel on your collaboration tool dedicated to posting news relevant
to your company use cases that specifically challenge the assumptions that
employees hold.
Engage Other Teams:
Frequent engagement is the single best way to pass security ownership to the
rightful owner in a supportive way. You can jointly work through priorities, work
plans, and concerns as part of that transfer and follow-on ownership. It’s the
frequency and quality of that engagement that matters.
Extract Value From
Teachable Moments Without Shaming: There is always that employee that puts
a server online or develops an internet facing API without production security
controls. Have a plan for winning a convert to secure practices as a result of
that experience. No shaming, just a good lesson learned.
Measure Forward Looking Indicators: There are plenty of
backwards looking indicators in security awareness. The first forward looking sign that a security
awareness program is working is that employees will begin to proactively start
to approach the cyber security team with questions. Measure those forward
looking indicators as well to let the team know that they are making anecdotal progress.
Security awareness is about transforming an organization's culture. Building
real and actionable security awareness is far more difficult than checking a
security awareness compliance checkbox. You’ll need a tenacious, long term
approach to bring about the needed cultural change.
The world is in your hands.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment