Just over a decade ago, I went through a particularly challenging cybersecurity audit. It was the first of a new iteration of ultra-comprehensive assessments that seem to look at every single policy, setting, and practice. While the organization “passed”, I was disappointed from my perspective as a cybersecurity program manager. I knew we as an organization were better than what the report said and illustrated. As part of my normal after action review, I sought to delve deeply and understand why we didn’t do better. We had the technology and the personnel. What was missing?
I won’t bore you with the methodology of my search, but I ultimately identified what I believed to be the culprit. It was our culture or, more succinctly, our lack of a culture. What does culture have to do with cybersecurity? Just stay with me. It will make sense. What I saw was that we indeed had the technology and the people, but in too many instances, the various tools and individual people didn’t operate in a synchronized manner. Hardware and software security configurations were inconsistent. Policies and procedures were different in level of granularity and execution. Some people were better trained than others. Most importantly, I realized that those same people for the most part knew what to do but often lacked an understanding of why they were doing it and the importance of their role in the collective cybersecurity and organizational program.
It was then that the idea of instituting a cybersecurity culture of compliance popped up. For me, it was the cliche light bulb going off. If I could get each individual to recognize the importance of their contributions to the collective effort, they would hopefully feel a sense of empowerment and ownership. They would realize they were part of something bigger than themselves.
I wasn’t just thinking of the cybersecurity team, system administrators, and other technical personnel. My audience included every organizational member, from the standard network user to the executive staff and CEO. Why? I knew that the technical settings and policy documentation were only variables in a larger equation. Cybersecurity awareness at all levels is what minimizes the potential for a click in a phishing email and increases the potential for reporting of suspicious or abnormal activity. Support from every organizational area from human resources to logistics increased the likelihood of compliance with organizational cybersecurity processes and procedures. In reality, every member of the organization was a stakeholder. Individually we might do well, but collectively we could do amazingly well.
I acknowledge it sounds like it was a lofty goal a decade ago. Today, I acknowledge that it still is. Not every stakeholder will buy in to the idea. Some people don’t have the desire to be part of something larger than themselves, but I’ve found that more do than don’t. When they understand why they’re doing something and appreciate its importance to the organization and its customers, they’re more likely to embrace their functional responsibilities and execute them with pride. People outside of the network might not know how important their work is, but the individual does and derives a sense of fulfillment from it.
The initial execution and its evolvement since then have included developing and delivering training classes. The plurality is because there must be different ones targeted to different audiences based on functional area and level of technical knowledge. It isn’t just one either. It’s a regular and recurring event. For system administrators, it may be orienting them on Risk Management Framework (RMF) control families and how applicability to their systems is determined. For the human resources department, it may be an overview of how onboarding and off boarding procedures affect compliance with related security controls. At the general user level, it can be going beyond the annually required computer based training or training slides and offering quarterly training on current cybersecurity threats, how to spot phishing attacks, and even how to better safeguard their personally identifiable and privacy information on their personal devices. These efforts can be further bolstered by sending out monthly cybersecurity awareness updates, reminders, and other useful information. Most importantly of all, it involves leaving the office and regularly visiting organizational areas to visually assess their cybersecurity posture and asking them if they need assistance with any of their cybersecurity-related responsibilities.
All of the aforementioned actions directly support whatever cybersecurity framework your organization uses, but more importantly, they foster a sense of community in the organization. And from a community emerges a culture or in our case a culture of compliance. People are now part of the process, not just subject to it.
Since originally coming up with the idea, I’ve remained committed to creating a culture of cybersecurity compliance in the organizations for which I’ve worked. I regularly look for and pursue opportunities to help technical and non-technical personnel understand how important they are in the sustainment of a solid cybersecurity posture that enables the organization to conduct its digital operations. Sometimes they buy into the idea, and sometimes they don’t. I remain undeterred, though. I know I have a great product, and I’ll keep selling it to as many people as possible. After all, there is no negative outcome. A culture of compliance only promises a huge return on an investment through a strengthened cybersecurity posture at no additional cost to the organization. All it takes is a desire to be better and the effort to become so. Hopefully, you’ve bought into the idea. If so, feel free to start implementing one in your organization and then pass the concept on to someone else.