Tips · 5 MIN READ · YANEK KORFF · NOV 4, 2022
If we live a life of unawareness, we may get caught in the never-ending cycle of reacting to life’s circumstances
– Mingyur Rinpoche
Cybersecurity Awareness Month just wrapped.
This year’s emphasis on people was refreshing. CAM always results in lots of blog posts and media articles sharing advice that people should follow, and this content is typically packed with outstanding information.
At some point, though, our success in combating cybercrime needs to evolve past the “advice” stage and move into the culture stage. Instead of the bullet points being something we think about doing, they must become things we do all the time, without having to think.
Let’s turn this into year-round culture. There’s no question that designating a whole month to cybersecurity best practices is important. But cybersecurity awareness should be part of our day-to-day lives. Relying solely on following step-by-step advice for disaster prevention only in the month of October has the potential to stunt our progress toward a world built on ingrained safety and well-being.
Is there a better, more positive way of thinking about this? The Zen distinction between thought and awareness provides some insight into where we are and where we want to go.
We can think about our awareness and we can be aware of our thoughts, and a fully realized cybersecurity culture is grounded in the higher-order state.
Consider driving a car. Safe driver checklists like this one—which includes 33 steps—lay out all the rules, most of which we learned while studying for our driver’s licenses. But when we get behind the wheel, we don’t pause to tick off each bullet. Most of us automatically buckle up. We check our mirrors before backing out of the driveway. We signal when we want to turn. We obey traffic signals and signs without thinking about it. We don’t drag race through school zones. We turn on our lights at dusk and slow down when it snows. And most importantly, we pay attention to the traffic around us, because we know that awareness is our best defense.*
In other words, we’re part of a culture of highway safety. We had it modeled for us by adults as we were growing up. We learned it in drivers ed and passed the tests when we turned 16. Through practice and repetition, we behave safely without thinking about it.
We have become the checklist.
This is where we need to get with cybersecurity. But how?
Training. It goes without saying (but we’ll say it anyway) that training is essential. As we think about evolving toward a “zen cybersecurity” culture, here are a few things to consider.
- Training should be continuous. It isn’t enough to have an annual or even semi-annual event. A program that schedules more routine engagement with security keeps good practices front-of-mind and introduces information about new threats.
- Training must be engaging. How often have you taken “training” where you hit play, went to do something else, then came back to take the “test”? This is, by definition, not training–you don’t learn anything new or novel. Also, is the training basically a glorified PowerPoint? Modern audiences are accustomed to entertaining narratives driven by strong visual communication (and new information is interesting). These experiences establish a sensory baseline, and you can’t learn when you’re asleep. There are many ways to be boring, and all of them make for weak training.
- Training should be success-focused. Disaster cases are easy to find and make for compelling stories. But training that models winning provides the carrot to balance the stick of the daily news. No shame, no fear, no threats—these aren’t dynamics you want at the center of your culture. Cases that illustrate how awareness and behavior won the day can associate strong security practices with satisfaction and accomplishment.
Leadership support. Employees are on the receiving end of lots of “compulsory” communications, and while they know these periodic reminders (legal, compliance, security, etc.) are important, they can quickly tune out as soon as they realize that, oh yeah, we already know this.
A good way to bypass the tune-out is to make sure executives address security as a matter of habit outside routine channels. Leaders can use personal communications, company calls, unscheduled emails to reinforce training themes, point to internal successes, praise specific employees for best practice behavior, and the list goes on. The point is to illustrate that leaders aren’t just spouting boilerplate for legal “CYA” reasons.
Culture ownership. One popular bit of advice is to assign the job of “culture owner” to a specific person. This is a good idea, especially in an institutional setting, because it elevates the profile of the evangelist and invests this person with the approval of leadership.
It’s only an interim step, though. Longer term, and beyond the walls of a single organization, everyone owns the culture. Socializing this message should be the culture “owner’s” primary mission.
Core value. Organizations have a set of fundamental principles that guide everything they do. “Customer focus” is the prime directive for many businesses. Amazon is famous for its “bias for action.” Patagonia pledges to “use business to protect nature.” At Expel, we take equity, inclusion, and diversity very seriously because we know it’s the foundation for excelling at everything we do.
Cybersecurity awareness not only safeguards the business, it promotes continuity and extends a halo of security to your customers, third parties, and communities. It can be an ideal pillar for a more productive value set.
Normalize security discussions. Encourage employees to talk about security. Security awareness is routine in a mature cybersecurity culture. Over time, the goal is to replace FUD with a more casual “enlightened paranoia.” Yes, the bad guys are out to get us—because that’s what bad guys do—but we have it under control and we aren’t afraid. (Also, as the topic becomes normalized in the workplace, workers are more likely to take it home with them, helping spread awareness beyond the office.)
Cybersecurity safeguards us from a volatile world of risk. But FUD and anxiety aren’t sustainable responses. In her recap of this year’s RSA Conference, Expel CMO Kelly Fiedler explained that “hope and encouragement [wins] over fear, uncertainty, and doubt.”
As we close out Cybersecurity Awareness Month 2022, let’s sustain the momentum by remembering to see ourselves in cyber. This prescription may seem a little abstract to some, but the emphasis on people—that’s easy to identify with. People are our coworkers, our families, our friends, and our neighbors.
The more our culture is driven by awareness instead of checklists, the more energy we have for pursuits that benefit our organizations and the communities we serve and live in.
* Yeah, we know. Not everybody is great about all these things. Especially the one about turn signals.