Harnessing the Human Factor as a Strategic Asset
This is Part III in a series focused on how to transform your workforce into a cybersecurity asset rather than a liability. Click here to read Part II.
Part III: Culture
Human-Centric Cybersecurity: A Paradigm Shift
Congratulations! If you’ve made it this far, you learned why we mere mortals may occasionally make incredibly bad decisions when it comes to cybersecurity. You also should have a good idea of how to set up your organization’s cybersecurity policy.
Now let’s get to the fun part: culture.
Because policies must never be allowed to languish, we’ll discuss how to embed your new cybersecurity policies into everyday decision-making through your company’s culture. Regular communication, hands-on training, real-world simulations, and ongoing discussions about security help shift cybersecurity from an abstract mandate to a practical mindset for employees to live by.
Show, don’t just tell
First things first. Your company’s senior leadership needs to model and promote shared responsibility around cybersecurity. They should be visible at the company’s training sessions and ensure that cybersecurity policies are reinforced and followed at all levels of the company. Senior leaders also need to communicate regularly why it matters that the company take a security-first approach.
And while written cybersecurity policies are indispensable, nothing beats hearing about actual incidents (anonymized if necessary) to make the threat real and memorable. People often forget the facts and details, but they never forget a compelling story.
Support blameless problem-solving
In many industries where people’s lives are on the line, such as health care and the airline industry, leaders strive to make adverse event reporting part of the cultural norm.
Rather than single out individuals for mistakes, leaders in these industries recognize that human error is inevitable. As a result, they seek to understand which systems, processes or conditions contributed to the mistakes and look for ways to prevent them from recurring. Blameless problem solving cultivates trust and accountability within teams and encourages employees to share their own mistakes, as well as “near misses,” to improve their team’s overall performance.
Make cybersecurity the easy choice
Surveys find that one of the top reasons employees avoid reporting security threats is fear of repercussions – which is why it’s so important to practice blameless problem solving. Furthermore, when we make our security tools and policies user-friendly, it encourages people to engage in the kind of secure behavior we want to see. Reporting security incidents should be an easy and straightforward process. And don’t forget to thank employees for being a part of the solution.
We’ve written before about “Shadow IT” and other unintentional risky choices that busy employees may make either because they mistrust the IT department or they think it will be too slow – sometimes both! Think about ways your IT department can be more visible in your organization and responsive to employee requests. If the IT functions at your company are outsourced, encourage your employees to contact them whenever they have questions or concerns.
Regular surveys can also provide important insights into how well the current networking systems are functioning. If there is a high level of frustration in a particular area, it may be something you need to trouble shoot and find a more streamlined solution for.
Celebrate continuous improvement
Cybersecurity awareness should be integrated throughout the employee experience – from the moment people are hired and every day thereafter. Embed security into daily routines, decision-making, and the broader company culture, so secure behaviors become instinctive, such as locking your computer whenever you step away, and practicing good password hygiene, including setting up a password manager so you don’t have to remember them.
Also, consider whether there are ways to make cybersecurity more fun. One thing people love to see is how much they have improved. Think about publishing metrics internally on incident reporting, phishing click rates, and MFA adoption – and reward progress along the way.
In conclusion, remember that positive reinforcement and visible, supportive leaders are essential for transforming cybersecurity’s weakest link – humans – into one of your greatest strategic assets.
