Hackers are always a problem. And naturally, your IT Department has network security buttoned down. But they are probably more worried about something else: you and your colleagues.
The big challenge in cyber security is people. It is how to change an organisation’s culture from relying on IT for security into one where everyone takes responsibility. Everyone, from the CEO to the newest intern.
John Kotter famously proposed an eight step process for changing organisational culture, starting with “Establish a sense of urgency” and finishing with “Institutionalise the change”. Well, most people realise that the cyber security problem is pretty urgent. So I thought I’d outline a separate set of eight steps that organisations can follow to strengthen their cyber security culture.
Step 1. Build your guiding coalition
Start by building a multifunctional team to guide change. Cyber security shouldn’t be the responsibility of IT, so you will need people from across the organisation to be involved: sales, marketing. operations, finance… This is essential so you get buy in across the organisation.
More importantly though, if your approach to security doesn’t take account of the way people work, it will fail.
Step 2. Form your vision and scope out your intentions
Next you need to form your vision for cyber security. That should be simple: to protect your assets, reputation, efficiency and information from computer based threats, and to ensure that your digital information is private, is accessible by people who have authority, and has integrity (think “the truth, the whole truth and nothing but the truth”).
In addition you will need to identify the scope of your vision: who it applies to, and what assets, processes and information is relevant. You will also need – and this is a big task – to identify the risks that your vision faces and how best to manage them.
Step 3. Define the details of what you want to achieve
Out of your vision will come the detailed policies you need around cyber security (including policies on IT and web use, Bring your own device, Privacy, and Social media). These need to be expressed in clear language: avoid techie jargon at all costs. Having a truly multifunctional team should mean that the policies should be relevant and effective for your whole organisation.
Step 4. Build new processes
Based on your policies you will be able to identify the tools you need to implement and the processes you need to develop that will help to protect you from cyber risks. It is vital to include a cross section of employees in the design of these systems. Without them you are likely to end up with unusable, frustrating and inflexible processes. If that happens your workforce will soon be looking for ways to work around them. So remove any barriers to people being cyber safe.
Step 5. Educate
Bring your policies to your workforce and educate them about any new tools and processes. Tell them why cyber security is important – for your organisation but also for them personally. And make sure they understand what they should do if they have problems or if things go wrong (as they surely will).
Don’t rely on one off training sessions: make sure that security is constantly “front of mind” with reminders using different techniques, messages and media hitting them as often as possible.
Step 6. Persuade
You can “educate” all you want, but if you fail to persuade them about the importance and effectiveness of what you are proposing then you won’t change anyone’s behaviour.
There are lots of methods that you can steal from marketing and from behavioural economics here. For instance, make sure authority and other credible figures are seen to follow the rules (if the Chief Exec is lax with security you can be certain everyone will happily follow their example). Prove to people that your new ways of working actually deliver benefits. Help people realise that they face constant and sometimes personal risks but (and this is very important) that there is plenty they can do to keep safe.
Keep an eye on how people are incentivised as well. Not about cyber security but about their every day tasks. Don’t put incentives in place that could persuade people to behave in an insecure manner.
Step 7. Socialise cyber security
Kotter talks about “enlisting a volunteer army” and that’s exactly what you have to do. You need everyone in your organisation buying in to the idea of cyber security. Part of this will be ensuring that “the organisation” behaves properly: if it is seen to be cavalier with the security of customer data for instance your internal processes will lose credibility. Ultimately you want your workforce disapproving of people who behave unsafely.
Disapproval doesn’t mean developing a blame culture. That would be very damaging – given the ever changing nature of cyber threats you need people to be able to feel safe if they make a mistake or if they respond wrongly to a new threat. But you do need people to accept cyber safety as the norm and as something that has value in protecting their career and indeed themselves personally, as well as protecting their colleagues and the organisation as a whole.
You might want to take some ideas from Sales as well – leader-boards for people who are particularly effective, prizes for good behaviour, simple recognition for jobs well done…
Step 8 Monitor and enforce
Measurement is very important. Your organisation needs to know how well it is maintaining a positive security culture. Identify some relevant KPIs so you will know if you need to take remedial action.
Enforcement is also important. If people who act unsafely are seen to get away with it then others will quickly follow them. Regular negligence and malicious behaviour may need disciplinary sanctions. More often than not though, you will simply need to offer a little “re-education”. And treat this as a learning opportunity for the organisation as well as the individual concerned. After all if someone is regularly breaking the rules it could well be the fault of the rules!