Like a wrong-sized shoe, security causes friction if it doesn’t fit an organization’s culture.
And as with a shoe that doesn’t fit the employees will “kick it off” and go “barefoot,” leaving their companies—and themselves—vulnerable to a path littered with threats.
“Ultimately, security adds friction and cost to doing business,” acknowledges John Bambenek, threat intelligence adviser at Netenrich. “No company has ever added a dollar of profit from being more secure.”
But, as plenty of companies have discovered, when security matches an organization’s culture, workers can come to see it as a trusted partner that helps them get their work done—safely.
“There is a short list of important elements of that culture that will have a direct impact on the security,” says Dirk Schrader, global vice president, security research, at New Net Technologies. The first is about how the organization treats errors and mistakes.”
Employees inevitably will make mistakes. If they fear repercussions, they won’t make good decisions regarding how to resolve those mistakes.
“The second aspect is about responsibility and incentive,” says Schrader. “If a job description clearly states the paid priority tasks of an employee, and then some rather blurry ‘cyber security is the responsibility of all,’ the employee will not feel incentivized to take care of the security. It will rather be seen as a prohibiting element that stands in the way of fulfilling the paid priority tasks and the employee will look for insecure workarounds.”
The third vital element centers around decisions regarding new projects or changes to processes. “These decisions should be incorporating a security perspective (avoiding the term ‘assessment’ for now), so that the new ‘thing’ is mirrored into the security operations of the infrastructure, avoiding any knowledge gap about critical business processes,” says Schrader.
Security-First Culture
No company can afford the consequences of being lax with security—think of recent disruptions at Colonial Pipeline and JBS Holdings USA—to avoid agitating employees or because security and culture clash. For an organization to have a solid security strategy, it “must find the perfect balance between people and technology,” says Joseph Carson, chief scientist and advisory CISO at ThycoticCentrify. “Investing in security technology alone is not enough to reduce the risks of today’s modern threats.”
In fact, “for technology to be configured, deployed and used correctly, organizations must invest in their people to use it appropriately and securely,” he says. “If you invest only in security technology, then your security is only as secure as the people using it. Humans tend to make mistakes, which means organizations face increased risks.”
It’s an important point, since people are at the heart of most cyber incidents. According to the Verizon Data Breach Incident Report (DIBR), 86% of breaches involve a human element.
“People are the largest surface area of cybersecurity risk,” says SCYTHE CEO Bryson Bort, noting “technical controls don’t work in isolation,” but rather should be part of daily operations.
That means taking a long view. Organizations must develop long-term strategies “for human security, which combines awareness, behavior and culture that helps both the short-term awareness needs and embed security into everyday tasks,” says Carson. Security teams, vendors and the enterprise, therefore, must make security usable and the preferred choice for workers.
Getting to that point, though, presents some challenges. First, there needs to be a shift in thinking regarding security’s role. Organizations and security teams alike have grown accustomed to casting security as the “Department of No” in the enterprise, existing as a thorn in the side of business and there simply to reject employee requests for access to the applications and network resources that make it easier for them to do their jobs. “Traditionally, security has been perceived as something that is the responsibility of the CISO and his team—‘not my problem’—and something painful that goes against productivity, preventing people from doing their job,” says Jerome Becquart, COO of Axiad. “These two points have to be addressed and corrected.”
Companies bent on embedding cybersecurity into their cultures also must first “overcome that old department thinking that security is someone else’s problem,” explains Schrader.
Ani Chaudhuri, CEO, Dasera, agrees. “Security isn’t just the security team’s job. Compliance isn’t just the compliance team’s job. It takes a village to keep data secure and compliant. Data owners, data stewards, DevOps, engineering, HR, legal/compliance, privacy and security all need to work together to keep data secure and compliant,” he says. “In addition, all employees with access to data need to be sufficiently trained in security and compliance, and companies need to have a culture that fosters security and compliance.”
If companies can’t course-correct and find a more comfortable fit between security and culture, Bort says, they face “an increase in risk, both probability and impact of an incident.”
For those companies that do find that fit, the benefits go beyond just securing the business and dissuading employees from seeking workarounds for security. They’ll be better positioned to securely continue their digital transformations that were likely hastened by the pandemic. “Security, privacy and compliance are the fundamental components of all digital transformation strategies and programs,” says Niamh Muldoon, global data protection officer at OneLogin.
Security Nature, Security Nurture
Aligning security with corporate culture requires that management, security teams and users all get onboard. Like most of an organization’s cultural issues, alignment “begins at the top,” Bort says.
“There are two kinds of companies: ones where the leadership prioritizes security and those that don’t,” he says.
“Enterprises should focus on their security culture, setting the tone from the top of the enterprise,” agrees Muldoon, who advocates for a “security nature and security nurture” approach.
“Build highly performing teams, which include having the security voice and input at the design and architecture stages,” she says. “Measure, monitor and reward teams for implementing security requirements throughout their project development life cycles, and especially recognize those teams having security-conscious mindsets.”
If those disciplines are represented at both the strategic decision-making and program operational levels, Muldoon says, an organization’s culture will transform “with a security, privacy and compliance mindset” and be better positioned to face an ever-increasing threat landscape.
She urges leaders to “discuss and review how they operate their business.” Any organization that doesn’t have a digital transformation strategy in place should take the time to define one.
Security, too, has an obligation to ease its fit into corporate culture. “Our responsibility is to present security concerns in plain English in business context,” keeping users in mind, Bort says.
“Don’t speak nerd!” he says. “Security should be service-oriented: Define what your organization provides and make it convenient for users to access these offerings.”
In the end, a “symbiotic or hand-in-hand culture provides direct value to the overall organization because it ensures that security fulfills such tasks as providing security awareness and training to employees on avoiding phishing and identifying other data breach techniques,” says Tom Garrubba, CISO at Shared Assessments. It also positions security “to support the business via tools and techniques to keep their data safe and sound and to advise the general business of the various threats and risks—like supply chain and geolocation risks—that may stifle or negatively impact the business’ operations.
“Once these points are understood by all, then the organization will effectively establish a good security culture,” he says.