When I attend a networking event and ask a business owner, “Who’s responsible for Information Security?” The usual reply is “IT”. But in today’s hyper-connected world, where digital landscapes are constantly evolving, and data breaches and cyberattacks are becoming alarmingly common, organizations must recognise that information security is not solely the responsibility of the IT department.
We can’t simply point at the IT team and say, “Make me secure”. In the same way that we can’t point at the Finance department and say, “Save us money.” It's a collective effort that involves every employee.
This shift in mindset from an "IT problem" to "shared responsibility" is the cornerstone of any cultural transformation. Because cybersecurity has traditionally been viewed as a technical issue relegated to the IT department, those in the business don’t see how they have any agency over how to keep an organization secure. This creates a false sense of security for some and a feeling of apathy for others who don't feel a personal stake in protecting the business.
To counter this, organizations must foster a culture where cybersecurity is understood as everyone's responsibility, regardless of role or technical expertise. Of course, this then leads us to the thorny discussion of how we can build a culture of cybersecurity. It means instilling a mindset that views each individual in the organization as a crucial component of the organization's defense against cyber threats. How can we do this effectively?
We Need to Cultivate – not Build – a Cybersecurity Culture
Rather than thinking about building a cybersecurity culture, we need to think about cultivating one. It’s a simple yet important distinction. When we think of building something, we assume that there is nothing there already. However, cultivating something means nurturing and growing what already exists.
Every organization has a culture already. Culture is born from the collective knowledge, experience, and skills of everyone in the organization. Culture, therefore, is there from the inception. Even a business that employs just two people has a culture.
Therefore, when considering gaining support for a cybersecurity or data protection programme, you must consider what culture already exists. From there, you can cultivate a culture that respects what you’re trying to do as something that supports the overall business culture.
The Cultivation Starts with the End in Mind
All too often, we see training and awareness as a campaign or a phishing exercise that is done to the business. People are forced to undertake training, which includes death-by-PowerPoint sessions. If you’re lucky, the presenter will be passionate and interesting, and bring the topic to life. This is great, but not the whole story.
Develop clear objectives for your cybersecurity program, where you identify what behaviours or outcomes you expect to see from the awareness campaign. For example, an outcome might be to ensure that unattended devices are locked or increase the reporting of phishing attempts to the helpdesk. It’s even better if you can come up with specific and measurable objectives, but if this is your first attempt at building a culture, simply identifying what behaviours you want to see is a great place to start.
Make Cybersecurity Training Fun and Relevant
Instead of dry lectures and technical jargon, training should be engaging, interactive, and tailored to specific job roles, and it should be part of a wider campaign. Phishing simulations, gamified training modules, competitions, quizzes, and real-world examples can effectively illustrate the impact of cyber threats and equip employees with the knowledge and skills to identify and report suspicious activity.
Focus on the staff’s own lives, too. This means talking about cybersecurity at home, on their personal devices. Explain how and why Multi-Factor Authentication (MFA) is important in their online banking, and they will see why it’s important in the workplace, too.
Beyond training, open communication and trust are essential. Encourage employees to ask questions, report suspicious emails or behaviour, and voice concerns without fear of reprisal. This means cultivating a no-blame culture, where errors, mistakes, and mishaps are hailed as opportunities to learn and improve. This is about creating a safe environment where open communication is the norm, fostering a sense of shared responsibility and collaboration in fighting cyber threats.
If possible, create a steering committee that can advise you on the best way to develop your security program but will also act as your champion. This does not mean they become the font of all knowledge; rather, they are there to champion the cause within their area.
Of course, leading by example plays a crucial role in setting the tone for the entire organization. Corporate leaders need to champion the importance of cybersecurity openly and visibly. This means actively participating in incident response exercises, training, and awareness initiatives. This unwavering commitment from the top sends a powerful message, reinforcing the importance of security at all levels.
Technology also plays a crucial role in empowering employees. Implementing user-friendly security tools and systems can reduce the complexity of security practices and make it easier for employees to adopt safe habits. This might include two-factor authentication, password managers, and secure file-sharing platforms. Regular security assessments and vulnerability testing can also identify and address potential weaknesses within the organization's security posture, ensuring employees have the necessary tools and infrastructure to operate securely.
Finally, ongoing engagement and positive reinforcement are key to cultivating a sustainable culture of cybersecurity. Regular security communications, newsletters, and internal campaigns can keep awareness high and remind employees of their role in protecting the organization. Recognising and rewarding employees who exemplify safe practices further motivates positive behaviour and reinforces the importance of security within the company culture. Consider running a “Best Idea to Improve Security” quarterly award or “Best Cyber Blog” award, which encourages people to get involved.
Building a culture of cybersecurity is not a one-time project but an ongoing process that requires continuous investment and commitment. However, the benefits are undeniable. By empowering employees to be the first line of defense, organizations can significantly reduce their risk of cyberattacks, protect sensitive data, and build a more resilient and secure future. In an age where every click and keystroke can have far-reaching consequences, making everyone accountable for cybersecurity is no longer a choice but a necessity.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.