Building a stronger security culture: 9 practical tips for senior leadership

In this month’s newsletter, Sam Robson from ThreeTwoFour discusses the role of organisational culture in cyber security and the practical steps senior leadership can take to help facilitate a better security culture within their organisations.

There is little doubt that effective cybersecurity controls are the responsibility of every member of your organisation, no matter the seniority. However, engraining cyber security into the organisation is not as complex as you might think.

All it takes are targeted activities, and key awareness concepts, to help to improve culture.

Small steps towards improving your cyber security culture can create a big wave.

There are several ways that senior leadership can achieve improvements, and we have included the best 9 below.

1. Ensuring that senior leadership not only “talk the talk” but can also “walk the walk”.

Leaders must demonstrate their commitment to cybersecurity by not making the same mistakes they want their team to avoid. Staff need to hear and see that their leadership team take it seriously, so leaving a laptop at the pub while entertaining clients, or sending confidential documents to a public email address, are not mistakes that you want your team to make. So, nor should you.

Recently, we were engaged by a client that just had to tell the PRA, ICO and FCA about how one of their execs had their Linkedin hacked by a phishing email. One of the actions as a response to the breach is a board-reported action for their CISO to strengthen the existing Phishing training process.

2. Complete the training and take it seriously.

If the senior leadership team are not taking the training seriously then how can you expect their team to?

In strong cyber security resilient organisations, their leadership teams have specific (bonus impacting) KPIs that are tied to cyber security training completion, ensuring this is being completed timely.

It is important that the training element is taken seriously and that it is regularly communicated. What better way to start a conversation with your direct reports than “I’ve completed the training and found this interesting, have you?” 

3. Make cyber security part of the day-to-day operations of the business.

Regular messaging is key to influencing and improving culture. One effective way to achieve this is by having a standing meeting agenda point at the end of each meeting, where employees recap whether any key decisions made during the meeting may affect their organisation’s cybersecurity risk profile. This repetition in each meeting with a rolling review and impact assessment is a great way to keep cyber security at the forefront of employees’ minds.

4. Don’t just leave it to the “technology team”.

Cyber security is about the actions of all employees. It is not enough to simply rely on your technology team to implement tools and procedures to detect when a cyber security incident is occurring and for them to have the processes to address it.

"Prevention is better than cure; your “non-technology” teams also need to be fully aware of both their responsibility, and most of all, their importance, in reducing the risk of cyber security incidents."  says Sam Robson

5. Use war stories as a powerful tool of communication.

Sharing real-life stories of poor cybersecurity practices and their impact can be a powerful tool to raise awareness among staff. Repeating these stories in regular staff communications can help remind employees of the importance of taking cybersecurity seriously.

Nothing hits home more than highlighting a real-life story of poor cyber security. For example, did you know that company X, who is in the same industry as us, just lost £Y million simply because one employee inadvertently clicked and entered data responding to a phishing email titled “Click here to win an iPad”? 

Don’t be afraid to use “shock and awe”. A good way of convincing senior management is to highlight that they will be the ones that will have to report the incident to regulators, therefore “do you really want to be the one telling the regulators about the breach?” is often a good question to peak their interest.

6. Assess who are your higher risk staff.

The potential impact on your organisation, in the case of a cyber security threat or incident, varies greatly depending on your role. The level of training required for staff who are considered “higher risk” should be more in-depth and comprehensive than the training provided to the remainder of your organisation.

This approach also helps tailor training to specific roles within your organisation. There is very little point in having an IT system administrator, who needs to understand the specific risks over their privileged access, being trained on payment processing risks. A one size fits all approach to higher-risk users will not increase engagement or understanding.

7. Test, test, test.

Nothing provides more comfort to cyber security risk than seeing the results of testing; assuming you achieve the results, identify areas of weakness and where best to target your remediation efforts. But be warned, while this can be resource intensive, it’s not enough to run a test once and hope for the best outcome.

The value comes in capturing the lessons learned from testing, implementing enhancements to your approach, and repeating these tests regularly, to demonstrate controls and results are improving and the message is getting across.

8. What you can measure, you can manage.

Identifying metrics that help determine the positive impact of the organisation’s cybersecurity activities can demonstrate how cybersecurity is trending and allow making necessary adjustments to the approach. A simple dashboard of key metrics such as training completion, training time taken, outcomes of testing, number and nature of cyber incidents, and lessons learned can help monitor progress.

9. Make it engaging.

We all know the feeling of cyber security becoming a burden or “just another set of training where I just click the next button on the training slides”. Having myriad policies and procedures, or lengthy training without a practical way of bringing these concepts to life, may just be increasing complexity and not effectiveness. The result, even with the best designed controls and processes, may be circumvention by your staff as the processes are simply too complex.

Training needs to be bite-sized and regular, tailored to the audience, their role, and their level of risk.

Testing should be engaging, “surprising” and the results shared widely.

War stories should be regular and have sufficient “shock value” to inspire action.  Management needs to regularly extoll the virtues and importance of remaining vigilant against the “enemy”.

This is how the culture develops and solidifies.  

A culture that values security and encourages employees to take an active role in protecting the company’s data and systems can go a long way towards reducing the risk of a successful cyber-incident.

By Sam Robson, Senior Manager, ThreeTwoFour

Sign up for updates!*

Hey there, couldn’t help noticing you’re using Internet Explorer

That’s great and all, and we commend you for pushing through with it. Unfortunately we no longer offer support for IE; it hasn’t received a major update since 2015 and Microsoft are dropping support for it later in the year.

If you’re using Windows 10 and want to stick with a built in browser, please consider switching to Edge. Or, if you really want to enjoy the internet properly we strongly recommend downloading Google Chrome here.