By Michael Tanji
Cybersecurity people often say “we need to bake in security.” What they mean is they want software companies and hardware manufacturers to design and build things securely from the get-go and not count on third parties, like antivirus companies or firewall companies, to bolt on security capabilities after the fact. That after-the-fact model is how things have been done from the start of the computer age because the people who want and need computers demand functionality, not security. They want fast computers. They want computers with a lot of memory. They want computers that can handle a wide range of tasks because people are in business, they’re not in the security business.
In the immortal words of management guru Peter Drucker: “Culture eats strategy for breakfast.” The first step in any new endeavor is usually developing a strategy, which is great, but a strategy is about doing a thing; culture is about believing in a thing. Building security into your company culture isn’t just about developing and integrating security policies and practices, it is about instilling a security mindset in your people. You must make them aware of the threats, as well as the risks associated with inattentiveness and carelessness, and you must train them to make good decisions when faced with a security dilemma. Like making high quality widgets, it should become second nature.
It Starts at The Top
People take their cues from the top. If what the boss says and what the boss does are two different things, employees will follow what the boss does, or focus on what he talks about the most. Let’s assume employees at the widget factory are told on their first day how to comply with safety regulations. At the start of every week they are briefed on what the production goals are for the week, and what the per-widget cash bonus is for every widget produced above the minimum. You told them once—maybe years ago—to be safe; you tell them every week what will get them a reward. If safety protocols and protective devices make it hard to exceed the minimum widget production rate, what do you think people are going to do?
Talk About It
What is the usual agenda for your Monday morning staff meeting? Operations update? Accounting and finance? Personnel? Whatever the format of the meeting is or what you discuss, you talk about these things because they’re important. They might not be exciting, but they’re critical to the viability of your business. If they don’t get done, the business suffers. The easiest way to start integrating security into your culture is to add the topic of security to the daily routine. When people start hearing these things on a regular basis, they start thinking about them. They start talking about them with their peers and subordinates. When cybersecurity is something you address once a year or once a quarter, it’s in one ear and out the other.
Prepare for It
People can’t comply with any policy if they don’t know what they’re supposed to do in a given situation, and why. You practice fire drills. You practice active-shooter drills. You bone up on processes and techniques before an inspection. You double-check your numbers before an audit. The same sort of preparation and attention to detail needs to be applied to cybersecurity if you expect people to get it right when they’re faced with a real problem.
Rewards don’t have to be massive or elaborate, but they need to be meaningful. You need to make it clear that there is value in adhering to security policy and following good security practices because there is value in a secure enterprise. What makes for a meaningful reward? You know your people better than I do. What are they interested in? What do they need? What do they do for fun? Get your managers involved to make rewards as meaningful as possible on a personal level.
If you would penalize someone for violating a company policy about handling financial transactions, or how they treat other people, you have to do the same for security violations, or people are really not going to take it seriously. This doesn’t mean firing everyone who clicks on a spam email. It simply means developing a series of reasonable, graduated responses to policy violations that are designed to get people to change their behavior.
A strong cybersecurity program starts at the top, and requires that you walk the walk. If you’re really behind this effort, you need to go through the same training as everyone else, and you need to adhere to the same policies as everyone else. You need to make cybersecurity a part of the daily routine so that everyone knows it’s important, and that they need to put into practice what they’ve learned. Treating cybersecurity as something “special” that only gets addressed occasionally, or when something bad happens, is a sure-fire way to get people to ignore security policy and disregard security practices.