The Zen of cybersecurity culture

· 5 MIN READ · YANEK KORFF · NOV 4, 2022

If we live a life of unawareness, we may get caught in the never-ending cycle of reacting to life’s circumstances
Mingyur Rinpoche

Cybersecurity Awareness Month just wrapped.

This year’s campaign theme—“See Yourself in Cyber”—demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people. This October will focus on the “people” part of cybersecurity, providing information and resources to help educate CISA partners and the public, and ensure all individuals and organizations make smart decisions whether on the job, at home or at school–now and in the future. (Cybersecurity and Infrastructure Security Agency)

This year’s emphasis on people was refreshing. CAM always results in lots of blog posts and media articles sharing advice that people should follow, and this content is typically packed with outstanding information.

At some point, though, our success in combating cybercrime needs to evolve past the “advice” stage and move into the culture stage. Instead of the bullet points being something we think about doing, they must become things we do all the time, without having to think.

Let’s turn this into year-round culture. There’s no question that designating a whole month to cybersecurity best practices is important. But cybersecurity awareness should be part of our day-to-day lives. Relying solely on following step-by-step advice for disaster prevention only in the month of October has the potential to stunt our progress toward a world built on ingrained safety and well-being.

Is there a better, more positive way of thinking about this? The Zen distinction between thought and awareness provides some insight into where we are and where we want to go.

Awareness itself allows us to stand at the river’s edge without getting sucked into the current… Thoughts are still there. They may be quiet or turbulent, focused or wild and scattered. But we have stopped identifying with them. We have become the awareness, not the thoughts.

We can think about our awareness and we can be aware of our thoughts, and a fully realized cybersecurity culture is grounded in the higher-order state.

Consider driving a car. Safe driver checklists like this one—which includes 33 steps—lay out all the rules, most of which we learned while studying for our driver’s licenses. But when we get behind the wheel, we don’t pause to tick off each bullet. Most of us automatically buckle up. We check our mirrors before backing out of the driveway. We signal when we want to turn. We obey traffic signals and signs without thinking about it. We don’t drag race through school zones. We turn on our lights at dusk and slow down when it snows. And most importantly, we pay attention to the traffic around us, because we know that awareness is our best defense.*

In other words, we’re part of a culture of highway safety. We had it modeled for us by adults as we were growing up. We learned it in drivers ed and passed the tests when we turned 16. Through practice and repetition, we behave safely without thinking about it.

We have become the checklist.

This is where we need to get with cybersecurity. But how?

Some thoughts.

Training. It goes without saying (but we’ll say it anyway) that training is essential. As we think about evolving toward a “zen cybersecurity” culture, here are a few things to consider.

  • Training should be continuous. It isn’t enough to have an annual or even semi-annual event. A program that schedules more routine engagement with security keeps good practices front-of-mind and introduces information about new threats.
  • Training must be engaging. How often have you taken “training” where you hit play, went to do something else, then came back to take the “test”? This is, by definition, not training–you don’t learn anything new or novel. Also, is the training basically a glorified PowerPoint? Modern audiences are accustomed to entertaining narratives driven by strong visual communication (and new information is interesting). These experiences establish a sensory baseline, and you can’t learn when you’re asleep. There are many ways to be boring, and all of them make for weak training.
  • Training should be success-focused. Disaster cases are easy to find and make for compelling stories. But training that models winning provides the carrot to balance the stick of the daily news. No shame, no fear, no threats—these aren’t dynamics you want at the center of your culture. Cases that illustrate how awareness and behavior won the day can associate strong security practices with satisfaction and accomplishment.

Leadership support. Employees are on the receiving end of lots of “compulsory” communications, and while they know these periodic reminders (legal, compliance, security, etc.) are important, they can quickly tune out as soon as they realize that, oh yeah, we already know this.

A good way to bypass the tune-out is to make sure executives address security as a matter of habit outside routine channels. Leaders can use personal communications, company calls, unscheduled emails to reinforce training themes, point to internal successes, praise specific employees for best practice behavior, and the list goes on. The point is to illustrate that leaders aren’t just spouting boilerplate for legal “CYA” reasons.

Culture ownership. One popular bit of advice is to assign the job of “culture owner” to a specific person. This is a good idea, especially in an institutional setting, because it elevates the profile of the evangelist and invests this person with the approval of leadership.

It’s only an interim step, though. Longer term, and beyond the walls of a single organization, everyone owns the culture. Socializing this message should be the culture “owner’s” primary mission.

Core value. Organizations have a set of fundamental principles that guide everything they do. “Customer focus” is the prime directive for many businesses. Amazon is famous for its “bias for action.” Patagonia pledges to “use business to protect nature.” At Expel, we take equity, inclusion, and diversity very seriously because we know it’s the foundation for excelling at everything we do.

Cybersecurity awareness not only safeguards the business, it promotes continuity and extends a halo of security to your customers, third parties, and communities. It can be an ideal pillar for a more productive value set.

Normalize security discussions. Encourage employees to talk about security. Security awareness is routine in a mature cybersecurity culture. Over time, the goal is to replace FUD with a more casual “enlightened paranoia.” Yes, the bad guys are out to get us—because that’s what bad guys do—but we have it under control and we aren’t afraid. (Also, as the topic becomes normalized in the workplace, workers are more likely to take it home with them, helping spread awareness beyond the office.)

Cybersecurity safeguards us from a volatile world of risk. But FUD and anxiety aren’t sustainable responses. In her recap of this year’s RSA Conference, Expel CMO Kelly Fiedler explained that “hope and encouragement [wins] over fear, uncertainty, and doubt.”

In an industry that often relies on FUD…to compel action, the common thread from the keynote speakers was a message of hope. Notable leaders from industry giants (think: RSA, Cisco, and VMware) took to the stage to remind us that if we pull together, we have the power to change the world for the better.

As we close out Cybersecurity Awareness Month 2022, let’s sustain the momentum by remembering to see ourselves in cyber. This prescription may seem a little abstract to some, but the emphasis on people—that’s easy to identify with. People are our coworkers, our families, our friends, and our neighbors.

The more our culture is driven by awareness instead of checklists, the more energy we have for pursuits that benefit our organizations and the communities we serve and live in.

* Yeah, we know. Not everybody is great about all these things. Especially the one about turn signals.