What is Cybersecurity Culture?
The cybersecurity culture of an organization encompasses the knowledge, awareness, attitudes, and behaviors of employees regarding cybersecurity, information technologies, and the cybersecurity threat landscape.1 Historically, cybersecurity approaches have been reactive, with employees coming forward with potential issues, such as phishing emails, and then cybersecurity professionals were summarily deployed to address those issues. Unfortunately, this approach can be devastating in today’s cybersecurity climate, with cyberattackers launching increasingly sophisticated and costly attacks on organizations of all sizes, particularly those who have introduced new security vulnerabilities in recent years due to more of their workforce working remotely.
With the stakes being raised year after year, security analysts are under constant pressure to actively defend against cyberattacks and protect critical data assets2. Often, these professionals are left to take the responsibility in the case of a cybersecurity incident, and the pressure is proving to be a mental health crisis. Application security provider Promon surveyed cybersecurity professionals and found that:
- 66% reported to have experienced burnout this year
- 51% reported to work four or more hours per week over their contracted hours
- 50% reported that the workload was their biggest source of stress
Creating a cybersecurity culture is critical to proactively defend against cyberattacks, and it also can help to alleviate the disproportionate burden and stress that security analysts face when they must address current issues while implementing solutions for long-term protection. The following elements can create a cybersecurity culture where cybersecurity is strengthened by sharing the responsibility for it across the organization:
Cyber-hygiene promotion. Cybersecurity practices should begin at the C-level and permeate through all levels of the organization. Administration can set the tone by prioritizing cybersecurity and modeling positive cybersecurity practices. Administration can achieve this by participating in cybersecurity training, enforcing security policies across the board, and ensuring board members adopt procedures.
Communication. Consistent communication about policies, procedures, and expectations make it easier for employees to consistently follow cybersecurity protocols. Develop clear reporting procedures, engaging cybersecurity trainings, communicate changes, be open to questions, lead by example, and communicate expectations clearly and consistently so that there is little confusion and no surprises.
Threat landscape. Explain what the cybersecurity threats are and what is at stake for the organization, so that every employee can understand their critical role in the system.
Zero-trust. Implement zero-trust security strategies such as multi-factor authentication and explain to employees how these measures help to increase cybersecurity for the organization, and protect them as individuals, as well.
1 Duggal, 2022, “How to Create a Strong Cybersecurity Culture in Your Organization”
2 Keary, 2022, “Mental health: 66% of cybersecurity analysts experienced burnout this year”