{"id":1216,"date":"2024-12-13T09:01:00","date_gmt":"2024-12-13T09:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1216"},"modified":"2024-12-13T09:01:00","modified_gmt":"2024-12-13T09:01:00","slug":"how-to-turn-around-a-toxic-cybersecurity-culture","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1216","title":{"rendered":"How to turn around a toxic cybersecurity culture"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A toxic cybersecurity culture affects team turnover, productivity, and morale. Worse yet, it places enterprise systems and data at risk.<\/p>\n

In a toxic cybersecurity culture, everybody believes that cybersecurity is somebody else\u2019s job, says Keri Pearlson, executive director for Cybersecurity at MIT Sloan (CAMS), a research consortium focusing on cybersecurity leadership and governance issues. \u201cThey don\u2019t see any value in making efforts that help keep the organization secure.\u201d<\/p>\n

Here\u2019s how to know whether your cyber culture needs revamping and how to get your organization on the right track.<\/p>\n

Warning signs<\/h2>\n

When teams treat security as a compliance checkbox rather than a strategic priority, your cybersecurity culture is in sure need of a turnaround, says Rob T. Lee, chief of research and head of faculty at SANS Institute, a cybersecurity training firm. \u201cIn such environments, organizations often rush to deploy or purchase technology without proper review or implementing robust access controls.\u201d<\/p>\n

Instead of simply labeling a security team as toxic, Chris Reffkin, chief security and risk officer at cybersecurity services firm Fortra, believes that leaders should dig deeper to assess whether the organization actually prioritizes security or simply passes the buck when mistakes occur. \u201cWarning signs include being quick to punish issues, such as poor phishing training performance or accidental misconfigurations that result in a security event,\u201d he says.<\/p>\n

The rot typically starts at the top<\/a> when leadership fails to prioritize cybersecurity or take personal responsibility for ensuring the organization recognizes the importance of everyone doing their part, Pearlson says. Individuals keep failing phishing tests<\/a>, share passwords with one another as well as with vendors and others outside the organization, among other habitual security mistakes<\/a>. \u201cThey don\u2019t know \u2014 or disregard \u2014 policies and guide rails put in place to drive cybersecure behaviors.\u201d<\/p>\n

Contrary to a popular cybersecurity maxim, believing that people are the weakest link in the security chain is often an early sign of a toxic security culture, says Wolfgang Goerlich, a faculty member at Boston-based cybersecurity research and advisory firm IANS Research. \u201cWhen a blame-first mentality creeps into conversations and manifests in decisions, you know the culture is heading in the wrong direction,\u201d he observes.<\/p>\n

Other signs to look for<\/a>, Goerlich advises, are employees hiding mistakes to avoid repercussions, engaging in public shaming, and shifting toward shadow IT and shadow security to avoid the cybersecurity team.<\/p>\n

Punishment, if necessary, should be fair and appropriate to the mistake\u2019s severity, says Dan Glass, CISO at IT services firm NTT DATA North America. \u201cIf employees fear repercussions for making mistakes, they\u2019re less likely to report incidents or vulnerabilities, which may lead to unaddressed security gaps and a general lack of transparency.\u201d<\/p>\n

A security team that fears making mistakes will likely, over time, generate a negative business impact. \u201cThe lack of a security-first culture will prevent or minimize the willingness of employees to raise issues that pose risks to the organization,\u201d Reffkin warns. Additionally, poor governance will foster a culture that lacks basic risk awareness and a willingness to address risks without fear of reprisal.<\/p>\n

Corrective steps for a stronger security culture<\/h2>\n

CISOs must set the tone at top, making it widely known that they\u2019re ready to collaborate on security issues and concerns with the entire employee community, IANS Research\u2019s Goerlich says. \u201cThis means consistently finding ways to improve usability, minimizing friction, and delivering both the sense of security and robust technical protections.\u201d<\/p>\n

CISOs should put their sneakers on and start walking the hallways, Fortra\u2019s Reffkin advises. \u201cThey should spend time with senior leadership to discuss their perceptions of security, present the risks facing the organization, and discuss how security enables the business, and offer specific support to the business units.\u201d<\/p>\n

If a CISO doesn\u2019t work toward becoming a valuable member of the extended senior leadership team<\/a>, it can lead to a misalignment between enterprise direction and security strategy, NTT DATA\u2019s Glass warns. \u201cCreating a blame culture can be particularly detrimental to cybersecurity efforts.\u201d<\/p>\n

A cyber culture is something that should be effectively reinforced by all C-level executives, not just the CISO. The CISO can lead by example, reward good behaviors, make heroes out of people who do the right things, create friendly competition between groups to softly discourage bad behaviors, and deploy other motivators to build beliefs that drive effective cybersecure behavior, Pearlson says. \u201cYet the best thing they can do is to help their C-level colleagues make cyber their personal priority, so everyone sees that the company leaders are aligned.\u201d<\/p>\n

CISOs must encourage openness, security awareness<\/a>, and learning across the organization and avoid using fear of consequences to enforce compliance, Glass says. \u201cA solid awareness campaign that clearly explains the \u2018why\u2019 behind some of the more Draconian security measures will lead to a better understanding of how each employee has a part to play in the shared success of the company\u2019s security.\u201d<\/p>\n

Gathering support across the enterprise<\/h2>\n

CISOs shouldn\u2019t tackle security culture in a vacuum. \u201cCollaborate with human resources, employee engagement, and create a cross-functional team,\u201d Goerlich advises. This approach works best when it\u2019s positioned within, and aligned with, the broader organizational culture. In healthcare, for example, tying cybersecurity to patient health and safety, or combining cybersecurity with manufacturing\u2019s safety culture, can lead to both stronger security as well as secondary benefits.<\/p>\n

Every C-level executive has a role to play in supporting a strong cybersecurity culture<\/a>. When they make cybersecurity their personal priority by talking about it, doing what they can to reward team members who do the right things, and taking a personal interest in learning more about what team members can do, they send a message that reinforces the importance of a healthy cybersecurity culture, Pearlson explains.<\/p>\n

The entire enterprise\u2019s senior leadership should actively participate in promoting a robust cybersecurity culture. \u201cCollaborative messages from the CISO and other senior leaders can transform an otherwise disregarded message into an organizational priority that demands attention from everyone,\u201d Glass says. \u201cAdditionally, utilizing all available internal communication channels can effectively spread the cybersecurity message to other platforms that may have higher engagement rates, as well as reach key decision-makers within the organization.\u201d<\/p>\n

Cybersecurity culture transformation is challenging and requires an ongoing effort, Lee says. \u201cIt\u2019s crucial to maintain a commitment to continual learning, fostering a shared understanding of how security impacts employees, customers, and the organization as a whole,\u201d he explains. \u201cBy empowering employees and engaging them as active participants in security, enterprises can build a resilient culture that evolves alongside the threat landscape.\u201d<\/p>\n

Continuous improvement is the key<\/h2>\n

A great way to ensure that a toxic culture doesn\u2019t appear or, worse yet, persist, is to build effective organizational security controls, Glass says.<\/p>\n

\u201cThese controls should be transparent to regular users, and self-service options should be widely available,\u201d he states. \u201cImplementing a well-executed zero-trust security strategy with invisible device security, single sign-on for all applications, and user-friendly, phish-proof authentication tokens, can significantly reduce friction in daily security interactions.\u201d<\/p>\n

Ensuring a healthy cybersecurity culture is a continuous improvement exercise. \u201cThere will always be new employees and departing employees that will affect the culture,\u201d Reffkin says. \u201cAn ongoing program will be required to help manage the recurrence of prior poor behaviors.\u201d<\/p>\n

\u201cWe need everyone to be on board \u2014 it\u2019s a war, not just an attack vector,\u201d Pearlson warns. A strong cybersecurity culture is the logical place to start. \u201cOur best chance of winning is having an aligned, motivated, and innovative employee base that\u2019s watching out for abnormal things that might indicate a cyberattack.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A toxic cybersecurity culture affects team turnover, productivity, and morale. Worse yet, it places enterprise systems and data at risk. In a toxic cybersecurity culture, everybody believes that cybersecurity is somebody else\u2019s job, says Keri Pearlson, executive director for Cybersecurity at MIT Sloan (CAMS), a research consortium focusing on cybersecurity leadership and governance issues. \u201cThey […]<\/p>\n","protected":false},"author":0,"featured_media":1217,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1216","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1216"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1216"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1216\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1217"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}