Cyber Security
(Cyber) Security Culture Eats (Cyber) Security Strategy for Breakfast
I By Jacqueline Jayne Security Awareness Advocate – APAC, KnowBe4
T professionals around the world have some thorough and detailed frameworks and guidelines to use when it comes to developing a robust information security strategy, but there is one thing missing – the human element. The cyber threat landscape is out of control across the globe and organisations can’t seem to get ahead of the curve. Cyber attacks are increasing as cybercriminals are becoming more and more sophisticated and their methods are quite frankly abhorrent. They continue to target our human vulnerabilities and leave a trail of destruction in their wake without a care in the world. Most organisations have a well-documented cybersecurity strategy. The Australian Cybersecurity Strategy 2020 was released in August with a focus on government, business and the community. The recommendations made are all great, however, achieving the desired outcomes will be challenging if there is no clear way forward as to how we as a nation go about creating a (cyber)security culture to support the strategy.
The missing link is the human element. Protecting systems and information is the core purpose of anyone working in the information security world, which includes cybersecurity. Yes, some people see these as one in the same and others see them as separate disciplines, but that’s a discussion for another day. Today, we are looking at the human operating system and what you can do to attract its attention, raise curiosity, get buy-in and have yourself a powerful culture of (cyber) security in your organisation. Context and understanding are important in this process, so let’s start with some definitions. Strategy is tangible and visible with clear guidelines. It’s the road map, the plan, the goals, the logical process of taking us from where we are to where we want to be. A place where outcomes are defined and results are measured and managed. Culture is tacit and elusive in its very nature. It’s often unspoken, based on behaviours, hidden in the thoughts
16 | Australian Cyber Risk Leaders Cyber Security Magazine Magazine
and minds of people. We have all heard things like ‘the behaviour you ignore is the behaviour you accept’ or ‘the fish rots from the head’ or ‘monkey see monkey do’. These sayings can all describe culture. We often see the framework of culture in an organisation’s vision, mission and values which can describe the attitudes they have towards various elements. For example, do they value innovation over tradition? Observable culture is the way an organisation welcomes new employees, comes together (or not) at a time of crisis, manages performance, celebrates birthdays, responds to change and ideas or treats its customers and vendors. It is also the way you go about your day-to-day work when no one is watching which has been highlighted as we moved to a remote working situation in this year of COVID-19. Strategy is usually an annual event -- ‘here is our 2020 strategy’. The road map for the year is clear and hopefully, we all know what our role is in it. Culture, if not defined, is formed by the people, their attitudes, values, unconscious bias and overall approach to the world. Unchecked, group thinking emerges, silos form and if you are not careful, you may find yourself amid a toxic culture. For organisations that are about to go through a lot of change, it is going to be important for them to understand what the culture-related change is for their people. Do they embrace change, or will they fight it every step of the way? This is the very reason many strategic plans fail because the culture was ignored or dismissed as being irrelevant. Big mistake! We can have the most brilliant (cyber)security strategy the world has ever seen, and it will never be completely realised if we fail to engage the hearts and minds of the people. Before we look at how to go about creating a (cyber) security culture, let’s look at the benefits of having one versus not having one. The following examples are situational and are from the point of view of the human, your users and represent what’s going on in their minds.