Creating an Organization-Wide Culture of Data Security

Cybersecurity can only be effective if everyone in the business approaches it with the right attitude. CISOs must lead on education and awareness to create security-conscious business cultures

Just as a chain is only as strong as its weakest link, a company’s cybersecurity is only as strong as its weakest employee. As a result, implementing a well-designed cybersecurity awareness program is key, especially when many employees are working from home.

“One of the main objectives in our security program is building human firewalls,” said Gautrain Management Agency IT Security Officer Henry Denner. “We have an elaborate awareness campaign that focuses on engraining a ‘security mentality. amongst our staff.”

A 2020 report from cybersecurity awareness training company KnowB4 shows that 94% of executives from a wide range of industries think that a strong culture of cybersecurity important to their organizations’ success.

How to successfully execute an educational program on the subject is an open question, however. This has posed a challenge to CISOs, a task only made more difficult by lockdowns and remote working.

At the same time, CISOs must continue to build relationships of trust with teams and executives across the business. These relationships are critical if CISOs hope to effectively manage cyber risk and drive business objectives forward.

Honing the data security message from accessing hardware and online accounts safely to taking care to dispose of sensitive printed documents or handwritten personal customer information properly, CISOs must establish security practices that employees take just as seriously at home as they would in the office.

“We’ve focused our communications to cover what working from home really means,” says Simon Legg, CISO at Hastings Direct. “We are in the process of deploying improved awareness materials that allow people to assess the security of their environment.”

Sasol CISO Itumeleng Makgati’s approach to this has been to hone her messaging to address specific themes designed to raise awareness about cybersecurity. These messages and one-page reminders are sent to all staff with a monthly theme.

“With the lockdowns and pandemic, we have tailored our message specifically for remote working and connectivity away from the office,” she says. “We provide them [with] relevant messages for this point in time.”

However, the disruption caused by the COVID-19 pandemic has caused an extra wrinkle of complication for CISOs. The personal circumstances of many staff may have changed due to the pandemic and how that might increase the risk from insider threats.

“We have deliberately, as an organization, thought of our colleagues’ circumstances,” says Legg. “Not just themselves, but the situation their families find themselves in.”

Hastings Direct chose to support their staff and their families by providing access to a hardship fund if a family’s main breadwinner should lose their job due to COVID-19.

“When I talk to our response team relative to COVID-19,” Legg continues. “I emphasize the fact that they are helping the security of our business by making sure that we care about people’s wellbeing.”

Building relationships of trust across the business the relationships that a CISO develops with other business units are key for them to understand what the organization’s most valuable assets are, the impact should they be compromised, and the nature of any risks involved.

Building those relationships, however, can be a challenge. A 2020 report by professional consultancy EY reports that 59% of CISOs think their relationships across the organization are at best neutral, to mistrustful or non-existent.

In many organizations, engaging with the cybersecurity team might not be the first item on the agenda for other executives starting new projects.

“It’s very rare, unfortunately, for someone that leads a business area to wake up in the morning and say, ‘You know what? I must set up a meeting with our CISO’”, quips Legg.

“[Hastings Direct] is quite progressive and I have the honor of being part of our strategy group,” he continues. “So, I get to speak with the senior leaders within our organization that are tasked with envisaging where we’re going and delivering against our strategy.”

In Legg’s view, it is essential that CISOs proactively engage with leaders from other parts of the business, especially in organizations that are not already facilitating effective communication on information security.

“There are some organizations where you need to realize that you’re not necessarily at the front of people’s minds,” he concludes. “Therefore, engagement should be at the top of the list.”

CISOs should also seek to speak the language of their colleagues to facilitate more effective communication. One tactic is to simplify the conversation to how each area of the business might be impacted by a security breach.

“If I’m talking to the supply chain director, I need to be talking the supply chain language in a supply chain context,” explains Makgati. “Then, I can bring in an element of how we use technology to mitigate the risk. I find that the message will land if approach it that way.”

“Once you cross the line into the business, you just need to shift how you are conversing and how you’re delivering the message to make it business-relevant,” she concludes. “Make it business-risk dependent, instead of talking about technology.”

This is an extract from the exclusive report The 2021 Information Security Agenda. The report highlights how COVID-19 has rapidly shifted priorities for Chief Information Security Officers (CISOs), requiring them to implement new strategies, technologies and educational programs in a time of heightened risk. Click here to get your copy.