• Sat. Aug 13th, 2022



Making Sense Of Cybersecurity Culture By Defining And Engaging It

Perry Carpenter is Chief Evangelist for KnowBe4 Inc., provider of the popular Security Awareness Training & Simulated Phishing platform.

Security programs have long focused on the deployment of technology-based defenses to ward off cybercriminals—firewalls, intrusion detection and prevention, endpoint protection, secure email gateways and so on.

We have a lot of great technology available these days to provide protection for our systems and data. But here’s the rub: We still have a breach problem. And that breach problem is outpacing organizations’ spend in technology-based defenses. So what gives? I believe this is because organizations have been missing an essential element of defense—the human layer.

Why A Focus On Humans Is Important To Security Efforts

Precisely because technology has gotten so good at protecting data, hackers have been forced to adjust their methods with workarounds to gain access. They’ve realized that hacking through the technology is becoming increasingly difficult. So the path of least resistance becomes tricking humans into helping them bypass technology-based defenses.

Humans have become the primary attack vector for cybercriminals. That’s why it’s so critically important to strengthen the human layer of security—what I refer to as the thin orange line.

The color orange is associated with enthusiasm, creativity and success—a fitting designation for the role employees could play in helping protect the organization’s systems and data, as long as you lay the proper foundation and take the right steps to establish an effective security culture.

Just as law enforcement is symbolized by the Thin Blue Line and the Red Cross signifies medical personnel, the thin orange line can represent an effective line of defense against cyberattacks.

Where You’re Most Vulnerable

The truth is that technology alone won’t be sufficient to deflect all hacking attempts and humans will never be totally invulnerable to breaches themselves. That doesn’t mean organizations should cease their efforts to strengthen the thin orange line of human-preventable cyberattacks.

Companies are vulnerable to the actions—or inaction—of people. Here’s why:

• Hackers are always looking for unpatched software and outdated operating systems.

• Employees may negligently—or intentionally—ignore security policies, controls and processes.

• Technology constantly evolves, meaning that associated policies must evolve in lockstep.

Focusing on the human side of things isn’t a single-point-in-time event—it’s an ongoing process and program. It’s not something that can be crossed off a to-do list or considered “done.” That can feel a bit disheartening. The good news is that if you focus on creating and supporting the right security culture, you can minimize risk.

The Important Role Of (The Right) Security Culture

What do we mean by “security culture”? If you were to ask 10 security professionals what security culture is, you’d likely receive a wide assortment of answers. That range of understanding of what security culture means is a big part of the reason it can be an elusive concept to achieve. Here’s my definition: Security culture comprises the ideas, customs and social behaviors of a group that influence its security.

Security is something that should be embedded. A further definition naturally flows from this foundational concept: Security culture = security values woven throughout the fabric of the entire organization.

The question isn’t whether or not a security culture exists. The question is how it needs to be engaged. That requires intentional, ongoing communication, training and education of employees across departments. Organizational leaders must intentionally focus on pinpointing and measuring the security-related aspects of their culture—that means being proactive about security culture management.

Human knowledge, beliefs, values, behaviors, expectations and social pressures are all involved in everything that matters within an organization from a security-culture perspective. Consequently, conversations about human-layer defenses (bolstering the thin orange line) and their impact on the protection of systems and data need to be ongoing within executive teams and board of directors.

More than 85% of breaches are traced back to humans. That’s how much it matters. It’s time to invest more resources in the human layer. What steps are you taking to bolster the thin orange line in your organization?

Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?