Cybersecurity is more than just the tech: It’s about the people

By Lance Spitzner, Senior Instructor at SANS Institute

January 9 2023 - As cyber attackers continue to grow in both their number of attacks and capabilities, organisations are growing their investments in cybersecurity. However, as organisations are getting better at securing technology, cyber attackers have shifted their focus, and now their primary attack vectors are people. To address the human side, security teams are now communicating to, engaging, and training their workforce so that not only are employees more secure, but the organisation establishes a strong security culture.

It should be no surprise that routine human error is a major contributing factor to breaches and can undermine even the most resilient workplace cybersecurity measures. In our fast-evolving hybrid world, where 80% of breaches involve human elements, there is no stronger case for a total rethink and reset on how we lead a cybersecurity change and drive a strong cybersecurity culture across the workplace.

Ultimately, the stronger your security culture, the more likely people will behave securely and exhibit secure behaviours. The bottom line is that if you want your workforce to exhibit secure behaviours, you must do the groundwork by creating the environment for that behaviour to flourish.

Grow a positive security culture

Culture is built and shaped by what people think. At its heart, it’s about people’s shared attitudes, perceptions, and beliefs. These key principles underpin a cybersecurity culture. The drivers of this positive cybersecurity culture are some of the things that we, as humans, value the most. Fundamentally, if security at your organisation is too authoritative, unapproachable, or unable to engage with a workforce positively, then people will simply not like the cybersecurity lessons you’re trying to teach. Humans are widely criticised as the weakest link in the cybersecurity chain, but telling people they’re doing it all wrong will get you nowhere. Instead, you’ve got to educate and build that cyberculture that reaches everyone at every level across the workforce.

It will come as no shock that even the best management programmes break down if they’re not backed up with a strong and positive culture. All too often, negative culture is the exact root cause of why vulnerability management programmes fail. SecOps fail, too, when teams butt heads and the working culture isn’t positive and collaborative enough to foster great results. The point is, no matter how important the security objective, it is destined to fail if the workforce believes there to be a toxic security culture. Terms which too often arise when describing this type of poor culture are ‘punitive,’ ‘vague,’ and ‘fear-focussed.’ How will you take the workforce on a cybersecurity journey with you if you have this problem? Having the ideation in place is one thing, but with the communications strategy in place, sharing that vision and executing it requires a whole other skill set.

The rules for achieving this stronger cybersecurity stance

1. Culture starts with the security team. If people find your policies easy to follow and collaborative, you’re off to a great start!

Self-awareness plays a central role in this endeavour, and security teams must be able to hold a mirror in front of themselves and ask, "would I buy into what I see here?" It’s a measure that requires understanding what people think about the security team. While it might seem daunting to ask the workforce what they think about their cybersecurity team, there’s no better way to get a cyberculture health check and an understanding of what needs fast improvement. To get started, you can focus on these key performance indicators.

Ask yourself:

• Do people feel safe reporting incidents? Even ones they might have been responsible for?
• Does the security team receive regular communication from the workforce, such as requests for briefings?
• Is the message getting through? If not, why? Is it too technical, too vague, or too unfamiliar?

When trying to steer the security course of an organisation, remember that emotions count enormously. So it’s vital to facilitate a frank discourse where employees can freely share their thoughts and feelings about everything from the security team to policies and training opportunities.

2. The Dos, not the Don’ts

Success lies in motivating the workforce and enabling security. You don’t do that by technical wizardry; you do that by understanding people. Look towards simple behavioural architecture to see if you can inspire people to do what you want them to do without them noticing it. As experts in what we do, we can be guilty of giving cognitive overload. How about we simplify this by spelling out what must be done in simple, non-technical language to hit the right notes? In cybersecurity, the list of don’ts is never-ending, so it’s impossible to tell people everything they shouldn’t be doing. Instead, make it easy for everybody and tell the workforce the five things they should be doing. Isn’t it better that they take five simple actions than ignore the 20 things you tell them not to do?

3. Always keep it simple

When communicating cybersecurity instructions, you need to keep it simple. For instance, if you’re rolling out a new password manager, do you think people will take the time to decipher the technical language or care about your -well-intentioned- explanation of why it’s important for regulations and the company? That’s a resounding no. So why not be the good guys and tell people how much time they’ll save with this new solution and how much simpler the working day will be when they follow a few simple instructions? If writing for mass audiences isn’t your strong suit, no problem. Take the time to connect with HR or internal communications teams to get help communicating your vision in non-technical language. For effectiveness, writing should always be from the point of view of people and not the security team. Remember, communicating doesn’t have to be dull and corporate. Putting your instructions into something like a comic book would get many more people wanting to absorb what you have to say!

Making positive changes to secure your future

Today, cybersecurity leadership is no longer just about technology. It is ultimately about organisational change - change not only in how people think about cybersecurity but in what they prioritise and how they act - from the Board of Directors to every other level of the organisation.

Business leaders should take on real-world board lessons and deepen their company’s cybersecurity culture by implementing organisational change models. Security professionals must remember: it’s not just about the tech but fundamentally about the people. They are tasked with the role of people manager to help implement meaningful change to behaviours. At the crux of it, security is all about managing human risk.

• More Human Resource Systems and Technology Articles