By Bill Bonney, CISA, Author, Cybersecurity Evangelist, and Virtual CISO
Tricia Griffith, CEO of Progressive, the large insurance provider, said: “With the right people, culture, and values, you can accomplish great things.”
Several excellent analogies can be used to describe the global challenge we face in cyberspace. We can describe it as modern piracy, given the history of piracy impacting so many people while it was rampant, its criminal nature, and its use in proxy wars between the great naval powers of the 17th and 18th centuries. It could be thought of as similar to infectious disease, given how often software viruses are proximate to fraud and sabotage, how widespread and destructive these viruses are, and how they spread through contact. It can be considered akin to unbridled marketplace competition as perhaps the emerging industrialists envisioned their battlefield in the 18th and 19th centuries. And, of course, it can be thought of more directly as outright war, where skirmishes and battles are fought by and for nation-states, with catastrophic collateral damage being inflicted on citizens the world over.
In each case, the common first step in fighting back is to change the culture. Whether it’s to band governments together to defeat a common enemy, create a public/private cooperative, or develop a sense of civic duty through education and public discourse, causing a culture change is often the first step in turning the tide.
With that as the backdrop, let’s think about how we’re doing in this culture change we know we need. ISACA and the CMMI Institute tapped the power of their combined community to look at how we’re doing at developing and adopting a cybersecurity culture. The 2018 ISACA/CMMI Culture of Cybersecurity research looks at more than 30 data points related to cyber culture, and with nearly 5,000 global respondents over small, medium and large organizations, there are several revealing findings.
To make the shift we need requires three distinct steps or phases. First, we need to create awareness of the problem in a way that makes it real to the entire workforce. It needs to be personal. People need to understand why it matters, not just to their organization, but to them. Next, teach people basic self-defense. They need to know what they should do to protect themselves. Then, finally, we need to develop within the workforce a sense of unity of purpose and make real to them the shared outcomes we want to achieve.
From the research, we see that 87% of respondents believe that establishing a stronger cybersecurity culture will improve profitability or viability. We also learn that almost 8 in 10 believe those without such a culture experience more breaches, and more than 7 in 10 think they would be more susceptible to phishing. I think this is great; it means we are motivated to make the changes we need to the cyberculture we have, and we believe it is essential to the organization, not the regulators, that we do so.
Coming back to our three steps, we also see from the research that fully 96% of respondents already have or expect to have employee training in place by the end of next year. We can assume, then, if you are reading this, you likely have a program in place. Most importantly, the topic most often addressed is cyber risk awareness, cited by 8 in 10 respondents. Your task now is to make sure this awareness program establishes the connection for the workforce of how cyber hygiene impacts them personally.
You’re not alone. Barely 3 in 10 believe their workforce understands their role in cybersecurity completely or very well. Conversely, around half believe they somewhat understand their role, and almost 2 in 10 (19%) fall into the not at all and minimal categories. I think we need to move a good many people from “somewhat” to “very well” to create the momentum we need toward a sense of unity around the outcomes we want. Three in 10 can’t well create a draft for their teammates, but perhaps 6 or 7 in 10 can. Clearly this is important, as 41% of respondents agree that the lack of employee buy-in or understanding is the most critical inhibitor for achieving the desired cybersecurity culture.
Of course, measuring our progress is essential. First, make the tweaks to your program to make it personal to all workers. Then, add regular assessments to gauge how the workforce is responding, a step that most organizations are currently missing. Moving the bar on this metric will significantly improve the effectiveness of your cybersecurity awareness program. Engage with the workforce, measure phishing click-throughs, reward successful outcomes, and make sure you have consistent executive sponsorship. If executives can motivate the workforce to improve product quality and increase sales, they can certainly accomplish the great things that Ms. Griffith believes a great culture can achieve by driving a change in the cybersecurity culture.
Bill Bonney, CISA
Bill Bonney is a security evangelist, author and consultant. Most recently, Bill was Vice President of Product Marketing and Chief Strategist at FHOOSH, a maker of high-speed encryption software. Prior to FHOOSH, Bill held executive management roles at the financial services firms Inuit (maker of TurboTax and QuickBooks) and FICO (of the famed “FICO Score”) and was Vice President of Product Marketing and a Principal Consulting Analyst at TechVision Research. Bill holds multiple patents in data protection, access and classification, and is a member of the Board of Advisors for CyberTECH, a San Diego incubator, and in on the board of directors for the San Diego CISO Roundtable, a professional group focused on building relationships and fostering collaboration in information security management. Bill is a highly regarded speaker and panelist addressing technology and security concerns. He holds a Bachelor of Science degree in Computer Science and Applied Mathematics from Albany University.