With Cyber Security Awareness Month 2024 well underway, it’s crucial to recognise that the efforts made during this period are just the beginning. Creating a truly effective human firewall requires more than annual training programs or temporary initiatives. This month is a great platform to generate exposure and conversation for security team(s) to help drive the shift in organisational culture, one that places cyber security at the forefront of every decision and action, but as we know security isn’t about just one month of the year.
The power of leadership
Leaders play a pivotal role in fostering an environment where cyber security becomes second nature to every employee. By leading by example and being consistent with security practices, executives can embed good cyber practices into the very DNA of their organisation all year to shift the culture change.
Although the tools and technologies are essential for maintaining a resilient infrastructure, it’s equally important that employees understand how to use these technologies effectively and responsibly. When leaders demonstrate good use of these tools, it sends a powerful message throughout the company, reinforcing the importance of security at all levels. For instance, ensure you install updates and patches as soon as you’re prompted, and embrace the latest biometric technologies as they become available.
Make cyber security easy for employees
While we often hear the phrase “security is everyone’s responsibility,” debated, it does come down to a collective effort to ensure a security-conscious culture extends organisation wide, which is part of the Cyber Security Awareness Month’s objectives. This includes CISO’s and cyber security teams as well to ensure they are enabling, not blocking. Too often, security teams are perceived as roadblocks, but CISOs have the power to change this perception.
Umar Waheed, UK CISO of Nuance, a Microsoft owned company, reinforces this: “The security team has the responsibility to make security straightforward, sometimes we expect people to know because we what we do because know what the right process is. The reality is that security is not a priority of everyone’s mind, so we need to be enablers, but what does that mean? We won’t just say no for no reason, we’ll review and provide rationale and examples of what the impact is, helping them understand and taking them along with us. We want to be approachable and open as a security team, so they actively want to reach out to us and in return see the reward in that.”
A collective approach to changing cyber security culture
There is immense value in cyber security awareness, but it’s not the responsibility of a single person or team. Leaders need to support a collaborative approach to build a robust cyber security culture framework.
To truly integrate cyber security culture, leaders can:
- Practise good cyber behaviours themselves
- Give your security champion a regular slot in a team meeting and elevate their position
- Recognise employees who demonstrate strong security practices
- Incorporate cyber security metrics into performance evaluations
- Invest in ongoing training and awareness programs in partnership with the CISO and security team
Cyber security teams are eager to support these efforts, one effective method to ensure you’re on the right track is to conduct an annual assessment of your organisation’s position against a cybersecurity culture framework.
Blue Goose Lead Cyber Consultant, Alison Jiggins, elaborates: “An annual evaluation of your cybersecurity culture and its framework should be standard practice. Without it, how can you gauge your progress, determine what’s effective, and identify areas for improvement?
“Numerous internal and external factors can influence employee behaviours and attitudes year over year. Understanding these changes is crucial before pinpointing areas that require attention. Your findings will shape your strategy and objectives for the coming year, ensuring alignment with the broader organisational strategy.”
If you’re curious about cyber security culture health checks and how to implement one in your organisation, reach out to Alison via email alisonj@bluegoose.co.uk for more information or take inspiration from our cyber awareness case studies here. You can also access our free Cyber Security Awareness Month toolkit.