Four Levers to Drive a Cyber-savvy Culture

In 1898, The New York Times published a fascinating article, “An Old Swindle Revived,” which lamented the rising number of Americans who were falling victim to a resurgent 30-year-old scam. In this famed con, the swindler told the victim that he was locked up in a Spanish prison, which prevented him from accessing a large stash of cash. To retrieve the booty, the victim had to chip in with a smaller amount of money in exchange for a future hefty reward. Once the victim yielded to the request, the scammer would demand more money until the scam became apparent.

Over a century later, it seems the effectiveness of this dogged old swindle has not waned. Cyber crooks continue to exploit human vulnerabilities with surgical precision – hijacking high-value payments, blocking access to critical systems and bankrupting businesses. According to research, a staggering 95% of cybersecurity breaches are due to human error.

Several organizations are responding to intensifying cyber threats by investing millions into technical defenses. But these organizations will never achieve cyber resilience if they keep overlooking their weakest link – the human factor.

In my experience training cyber leaders from dozens of countries, cyber-resilient organizations put people’s hearts and minds, not technology, at the center of their cybersecurity strategies. Overreliance on technology not only wastes money but creates a false sense of immunity.

Creating a cyber-savvy workforce isn’t necessarily rocket science, but a growing list of data breaches rooted in human deception proves that most organizations still get this wrong. Organizations can drive cyber-savvy cultures in four distinct ways: by setting the right tone at the top, creating psychological safety, leveraging technology and gamifying cyber security training.  

1. Set the right tone at the top
   All cyber-savvy organizations have one thing in common – a strong tone at the top. Their top leadership role model expected attitudes, beliefs and practices. They also tie cyber transformation to broader business goals and firmly signal that cyber resilience is a strategic matter that underpins business growth and customer trust. When employees see executives demonstrate steadfast commitment to cyber resilience, they are likely to follow suit, creating a ripple effect across the organization.
   
   Creating a healthy cybersecurity culture takes time, but there are no two ways about it. As Jeffrey R. Immelt, former CEO of General Electric, said, “You can’t have a transformation without revamping the culture and the established ways of doing things.” This starts with executives weeding out damaging practices that create breeding grounds for cyber breaches. 
   
   Here are three typical signs of toxic cyber environments:
   • Project teams constantly ship solutions with easy-to-exploit security bugs. They prioritize speed to market and cost, fueled by a high-pressure “profit above all” culture.
   • Executives pay lip service to cybersecurity by approving dozens of policy exemptions, downloading sensitive data onto unencrypted devices, or entering strategic alliances with poorly vetted suppliers.
   • The chief information security officer (CISO) lacks organizational stature, and cybersecurity is severely underfunded. Predictably, cybersecurity staff are constantly stressed, feel unappreciated and hardly last in their roles.
   The CEO must regularly remind staff of what’s at stake through email updates, townhall briefings, and other informal communication channels. But the essence of leadership is action. To create lasting change, executives must proactively upskill themselves in cyber-risk oversight, as well as actively participate in cyber governance meetings and cyber crisis response drills. Additionally, by openly celebrating cyber heroes, business leaders can reinforce positive behaviors, motivating others to follow suit.

2. Create psychological safety
   Another important factor is promoting psychological safety. Employees must freely and openly question deep-seated norms and raise concerns without fearing negative repercussions. Psychological safety is more critical now than ever, with most employees accessing high-value systems remotely and grappling with COVID-19-related anxieties.
   
   To get this right, management must explicitly reassure employees that it’s permissible to challenge high-risk requests, such as altering client banking details, regardless of their origin. Organizations that encourage employees to learn from their missteps see a dramatic rise in reported incidents and near misses. This gives security teams enough time to neutralize threats before they run out of hand.  

3. Leverage technology to minimize human error
   But cyber awareness programs aren’t silver bullets. No matter your efforts, there will always be one unassuming employee who clicks a weaponized phishing link and accidentally opens a backdoor for threat actors to cripple high-value systems. Here are five ways you can use technology to turbo-charge a cyber cultural transformation program:
   • Enforce dual approval for all payment processing. Tricking two individuals is simply harder than tricking one. Also, encourage frontline staff to acquaint themselves with the habits of their customers to increase the chances of spotting dubious requests. For instance, a request to urgently wire funds because the purported client is “stranded” or “taken hostage” abroad should raise alarms.
   • Deploy a commercial password manager to provide secure, frictionless digital experiences to your staff. Password managers are encrypted vaults that store and remember users’ credentials for various apps or websites. Because users only need to remember one primary password, password managers offer both security and convenience.
   • Mandate multi-factor authentication (MFA) for access to high-value applications, transactions or users accessing the enterprise network from untrusted locations. MFA requires a combination of something a user knows (such as username and password) with something a user has, such as a one-time password (OTP) or something a user is (facial or fingerprint recognition). According to Microsoft, MFA can reduce the risk of identity compromise by approximately 99.9 percent compared to passwords alone.
   • Maintaining dozens of insanely complex passwords is simply overwhelming for most users. Unsurprisingly, up to 50 percent of all help desk calls pertain to forgotten passwords. Organizations can eliminate this burden by accelerating single sign-on (SSO) projects. SSO reduces the attack surface and improves the digital experience by enabling employees to use one set of credentials (such as username, password and MFA token) to access multiple on-premises and cloud-based applications.

4. Gamify cybersecurity
   Most people would rather queue up at the post office, file tax returns or go to the dentist than attend mandatory security training. But despite their ineffectiveness, most companies continue to shove tedious compliance modules down their staff’s throats. Compounding the pain, most of these mandatory security training modules are inundated with negative messages, such as severe consequences for non-compliance. The positive effects of compliance-based security training rarely last beyond a day or two.
   
   But cybersecurity awareness shouldn’t suck. Forward-leaning organizations are reversing these long-held stereotypes by building gamification concepts into their security training programs. Business leaders use game incentives – such as points, online badges and other rewards – to motivate employees to proactively embrace cybersecurity values.
   
   For example, business leaders can encourage software developers to bake cybersecurity early into the systems development lifecycle by awarding points to development teams that consistently deliver bug-free code. Conversely, points are deducted from development teams whenever they ship code with critical security flaws. Similarly, frontline teams can be awarded points for maintaining basic cybersecurity hygiene, such as encrypting personally identifiable information before sharing it with external parties.
   
   Making security fun motivates employees to embrace the security principles by their own will rather than treat them as a necessary evil. It also significantly lowers the cost of security, as baking controls into new systems is way cheaper than fixing vulnerabilities in live environments.

Looking forward
Unlike several organizations that lurch from one emerging technology to the other, cyber-resilient enterprises act differently by placing people at the center of everything they do. They create deeply internalized beliefs that protecting the enterprise from cyberthreats is everyone's responsibility, from the board of directors to frontline personnel. They also acknowledge that combating cyber threats require a combination of process, technology and people investments, but the most crucial factor is fixing human-based vulnerabilities. 

You can download a comprehensive CISO playbook here - CISO Playbook: Developing a Cyber- Resilient Culture: https://hub.cyberleadershipinstitute.com/posts/ciso-playbook-developing-a-cyber-resilient-culture

Editor’s note: For more ISACA resources on cyber-resilient and cyber-mature organizations, learn about ISACA’s CMMI Cybermaturity Platform.

About the author: Phil Zongo is the CEO of the Cyber Leadership Institute, an enterprise that has trained cyber leaders and executives from more than 38 countries. He is also the bestselling author of The Five Anchors of Cyber Resilience, and the 2017 winner of the ISACA’s Global Michael Cangemi Best Article / Book Award.