Seven tips for building a culture of cybersecurity accountability

Cybersecurity best practices and policies should be followed by everyone within an organisation, not just the leadership team. Corey Nachreiner, CSO at WatchGuard, offers his top tips for building the most effective and resilient cybersecurity culture that ensures employees can adopt your mission.

Effective cybersecurity often boils down to doing the basics: patching, updating, not clicking suspicious links or attachments and following other day-to-day best practices for using applications and systems. However, sometimes this knowledge only stays within the network admin/cybersecurity teams and fails to make it to ‘regular employees’, creating a company culture that’s susceptible to attack rather than a culture of accountability. Below, I’ll discuss seven tips for building a culture of cybersecurity accountability throughout all levels of an organisation.

1. First, start with leadership. Any successful cybersecurity culture starts with the executives. The leadership team is where the organisation looks for guidance. Not only will they have to approve any resource and budget you need for your program, but employees will look to them to set an example. Ensure leadership is helping spread your cybersecurity message just as consistently as you are. Examples of this could include devoting time to discussing cybersecurity during company-wide meetings, having an executive share their thoughts on upcoming trainings, or even a quarterly award for best cybersecurity practices. Leadership buy-in showcases that cybersecurity goes beyond the company’s security team.
2. Define the mission and what’s at stake. While you don’t want to spread fear, uncertainty and doubt (FUD), it is important to share the importance and necessity of cybersecurity in all modern organisations. Spend time discussing the mission of your cybersecurity team and how they support and allow your business to do what it does. Use real-life examples to illustrate the reality of today’s cyber-risk; you can make them more impactful by including data and stories from your industry to show the real-life harm that attacks have inflicted on companies like yours. You will find that if you spend a little time sharing ‘why’ your team creates the security policies you have, employees will more willingly follow them.
3. Be honest and transparent using plain ‘blue jeans’ language. Security centres around trust and the best way to establish trust with anyone is honesty and transparency. Using plain language, rather than technobabble and acronyms, to genuinely convey messages that employees in any role can follow is the best way to build rapport within your organisation. You won’t impress your co-workers by using obscure industry lingo or terminology and doing so only confuses and disengages them.
4. Explain why cybersecurity awareness matters all day long. While your mission is to secure your organisation, the same cybersecurity culture you instill in employees will also help them at home. Cyberthreats are ubiquitous and have affected home users as much as corporations. Make sure your company knows the practices they follow at work will serve them well in their personal lives too.
5. Make training, fun, engaging and rewarding. While cybersecurity is a serious topic, that doesn’t mean it has to be boring and dry. The best education programmes use fun and play to encourage an engaging learning atmosphere. Use education programmes that focus on audience interaction. Most importantly, reward the individuals who do the right things or engage the most. Cybersecurity culture will develop much faster with a carrot, not a stick. Everyone — and I do mean everyone — makes a difference as an organisation’s security is only as strong as its weakest link. With many attacks preying on individual human factors, even the most basic roles can make a big difference. If employees know they can contribute, they will — especially if you occasionally reward them as mentioned above.
6. Create a positive atmosphere. Everyone messes up sometimes. Punitive actions for mistakes will not drive behavioural change (at least not for long). Focus on constructive criticism and more positive communication methods. Makes sure your organisation knows you provide a safe way to learn from mistakes or failure.
7. Finally, welcome feedback and help. Cybersecurity culture should not be a one-way street. Communication should flow both ways and across the entire organisation. Create an information security council that includes stakeholders in all departments, not just IT and security. This conveys that you believe everyone’s feedback matters. Make sure employees know you have an open-door policy where everyone’s feedback and input make a difference. Start a suggestion box. Not only might you get amazing ideas from team members outside of traditional security roles, but people are much more likely to adopt your mission if they feel they have contributed to making it.

Now more than ever companies in all industries and of all sizes must adopt cybersecurity policy. One of the best and most effective ways to do that is by curating a healthy organisation-wide cybersecurity culture, and the list doesn’t stop with the above. Additional tips and tactics include making your security mission personal to employees, helping your organisation understand cybersecurity is a team sport and appointing someone who owns accountability for the programme to drive it. However, starting with the five key tips discussed here will help you start building out a cybersecurity culture that will stick within all levels of your organisation.