7 Steps to Build a Culture of Security
Dan Lohrmann
Cybersecurity Leader | CxO Advisor | Bestselling Author | GT Blogger: 'Lohrmann on Cyber' | Global Keynote Speaker | CISO Mentor
Why is cybersecurity culture so important to organizational success? How can you build a culture of effective security? What are the actions, tips and steps that can help strengthen your cyberculture? Here's a primer.
While running on my treadmill on Thursday morning, August 17, 2017, I was watching CNBC’s Squawk Box, as David Novak, co-founder and former CEO of YUM Brands, came on the show as a guest.
He was asked how he was so successful at growing such a powerful set of global YUM Brands with great results including names like Pizza Hut, Taco Bell, Burger King and others. His answer made me slow the treadmill to a walk and listen closely.
He said several things, but his clear messages focused on building a great culture with a set of core values and staff recognition. Here’s what stood out to me (paraphrased):
Success is all about the culture. Great leaders know your core values and are true to them. What messages are you sending to your employees? Are you recognizing and rewarding your staff?
As an aside: David Novak elaborates further on the recognition theme in this earlier article and video from last year. He challenged all of us to say “thank you” to employees and everyone in our lives more often. He even wrote this fun book on the 10 principles of recognition called O Great One!: A Little Story About the Awesome Power of Recognition.
Near the end of his Squawk Box interview, the topic of what actions to take on several global cybersecurity issues came up. Becky Quick asked Novak what the Trump administration should do about China stealing our intellectual property via computer hacking.
Novak said we need win-win answers that will work for both countries. Despite serious problems that require tough negotiations, we need to be positive in our approach, while enforcing laws and acting on areas where we have international agreement.
Issue One: Back to Security Culture
Management guru Peter Drucker is attributed with the well-known saying, "Culture eats strategy for breakfast." And while there are hundreds of books and thousands of articles on building great work cultures, not nearly as much is written about creating a positive enterprise culture emphasizing cybersecurity in the workplace.
So how can we lead a digital transformation that is also people-focused and security-focused at the same time? Here are a few of the common answers I have seen around the Internet over the past few years:
- Tripwire: 3 Tips on How to Create a Cyber Security Culture at Work
- Huffington Post: 6 Tips to Build a Cyber-Security Culture at Work
- Security Intelligence: Building a Cybersecurity Culture Around Layer 8
For several years now, the typical answers included a central focus on effective security awareness training for all employees as well as the need for management buy-in and business leadership for cybersecurity.
Nevertheless, digging a bit deeper, here are, in my view, seven keys to building a lasting security culture that can outlive individual security incidents and staff turnover.
1) Genuine Executive Priority and Support — We all know that children watch (and usually follow) what their parents do and not just what they say. In the same way staff learn what the real priorities are from executive actions. Are managers walking the talk? Are resources backing up the executive memos?
For example, when I was CSO is Michigan government, Gov. Rick Snyder was a true champion for cybersecurity in the state, and in the nation, who frequently discussed cyberactions at cabinet meetings and led by example. If this executive priority focus is missing, you will struggle to succeed in the other areas in the long run. Consider these suggestions to build management support for cybersecurity.
2) Honest Risk Assessment to Measure Security Culture Now — What is the security posture currently? How are security audit findings addressed? What are real technology and security priorities? Are there metrics and/or dashboards to measure progress?
Here is a video from the RSA Conference on one method for measuring security culture.
Also, this excellent article from Deloitte shows how to assess your culture from a perspective of beliefs, behaviors and outcomes.
3) A Clear Vision of Where You Want Your Security Culture to Be — A lot has been written about benchmarking and following best practices in cybersecurity. One important question is whether you know where you are heading. What is the vision of what success looks like for your security and technology teams?
Consider visiting your industry peers and learning from other public- and private-sector organizations that are doing cybersecurity culture well. Look at the National Association of State Chief Information Officers (NASCIO) award-winners, NGA best practices and state and local partners in your region. Consider a road trip to learn from others and benchmarking progress.
For example, back in 2011-2012, Stu Davis the Ohio CIO, brought a team up to Michigan to see how we built our security architectures and governance. Ohio state government used that visit and follow-on conversations to build an excellent cybersecurity program.
4) Do You Have a Cyber Plan? — Many state governments have published cybersecurity plans to clearly describe where they are going, who’s involved, and what the expectations are for various groups. Examples include Michigan, Delaware, Missouri, North Carolina and others.
More details will soon be provided on this cybersecurity planning topic in an upcoming blog.
5) Clear Cybercommunication to the Masses — Great, you have a plan and specific actions steps. But does anyone know what’s happening? What is the elevator pitch? How well are these messages received? Is the communication flowing both ways? Are you getting feedback?
Communicating cybermessages is an ongoing challenge, and no leader has done that better over the past year than Virginia Gov. Terry McAuliffe — who has made cybersecurity the top topic during his year as NGA leader.
6) End User Security Awareness Training for Everyone. This Includes Managers, System Admins and Other Specific Roles — As mentioned several times above, culture change definitely involves offering intriguing, relevant, updated, timely training that is brief, frequent and focused to the entire enterprise.
And while this is the area that is the one most often discussed regarding security culture change, it is only one component. Still, this cannot be a check-the-box exercise and be successful. I described this effective cybertraining area in much more detail in this recent interview with MicroAgility CEO Sajid Khan.
7) Celebrate Success with Food and Fun. Find out if security is a part of business DNA? How do you know what people are engaged in? Answer: See what they celebrate. When are their food and family showing up for awards?
Ask this question of your organization: When do you celebrate success? Assuming this is happening at all, are people rewarded for doing the right things regarding security? Any bonuses for great cyberetiquette or awards for doing the right things?
Here are some specific examples to ponder. And here are some cultural mistakes to avoid with security training.
Final Thoughts
In conclusion, building a healthy security culture is not a one-time project or one-year focus. Like building a great college football program at schools like Alabama, this is an ongoing challenge that must be repeated as the organization changes.
For more details, I really like this ISSA series of CISO mentoring talks, which provide many practical tips for security leaders to consider from CISOs who have been successful in different industries over many years. Following their advice is a great way to enhance your culture of cybersecurity.
Finally, I want to close with this quote from David Novak on the greatest challenge facing leaders today.
“Seven in 10 employees in the U.S. are not engaged. They're going to work and they can't wait to go home," he said.
Novak said great companies create environments where everyone counts and is valued. That’s why your corporate or government culture is so central to organizational success.
Is security a piece of your culture change efforts?
This blog first appeared as "Seven Keys to Strengthen Your Cybersecurity Culture" at: Lohrmann on Cybersecurity & Infrastructure
You can follow Dan on Twitter: @govcso
Thanks for posting Dan. Good article and a topic of great interest - Security Culture. I would add that organizations should go much further than security awareness training to change culture. Standard awareness training is a good step but it is mostly an offline exercise, disconnected from real systems, real apps and workflow. More impact on users attitudes and decisions, and thus culture change, can be achieved by something that is real-time, something that sits dead in the middle of the users workflow and their most common apps and data. Something that helps users know real time what the value and or risk of the data is they are handling, and what they should and should not do with that data. I suppose we could call that real-time security awareness training, but most call it user-driven data classification :) Again, great article, keep them coming!
? Using LinkedIn to Generate Untapped Leads & Customers For Your Business ?
7 年??
Manager of Project Management Office Michigan Medicine
7 年Dan, Good summary to keep focus and advance cybersecurity
CISO | Data Privacy | Diversity | Digital Transformation | IoT & ICS Security
7 年Dan, Can't agree anymore on your points. To help infosec practitioners to cook a successful dish, I will share the well-received topic of "Recipe of a successful cyber-safe awareness campaign" in #SecureSingapore 2017. https://www.cvent.com/events/-isc-securesingapore-2017/agenda-8011d489c0b04e2b803b039948746b17.aspx