Leadership Development /

Changing the Dynamics Around Cybersecurity Awareness

cybersecurity awareness

We have been doing cybersecurity awareness the wrong way for the last two decades

 

“People are the weakest link” … That’s what countless security awareness vendors want you to believe.

Many CISOs still agree and build awareness development as the central pillar of their strategy.

In fact, we have been doing security awareness training for the best part of the last two decades, and not just at corporate level: Schools are running their own programmes; governments and their agencies are deploying their own campaigns.

In addition, high-profile data breaches have had an unprecedented level of media coverage over the past decade. Nobody can claim to be totally unaware of cyber threats. In fact, in casual conversation, many people would openly admit to having had some of their accounts hacked, almost as if it was a normal part of life.

Yet we keep structuring awareness programmes around the same high-level canvas as twenty years ago: It always seems to be about training people, telling people what to do and why, putting them in a situation of exposure, sometimes setting the scene through old fashioned FUD levers, sometimes using more intuitive or emotional channels to bypass cognitive biases and social constructions.

Every employee would have been exposed to several of those campaigns throughout their career, often at induction time, sometimes regularly throughout employment because of regulatory obligations.

Meanwhile, breaches keep happening and nobody seems to question the actual efficiency of those practices.

Fake phishing campaigns are a painful reminder of that: They always work and always will work, but what do they achieve beyond the regulatory box-checking and the sense of guilt and negativity they create? … and catching the CFO one day is never going to bring you anything good…

“We need to keep repeating the message because threats morph all the time”, many vendors would say …

To me, all this is the sign of a more concerning problem: Those programs fail because they are simply too focused on the technicalities of cyber threats and often are totally disconnected from corporate values.

They try to build a pathway between threats and action, but if the threats cannot be interiorised because they have no cultural subset to sit on, action is not likely to follow.

The challenge here consists in repositioning the focus to build a pathway between corporate values and cyber threats, effectively making the threats relevant to the culture of the firm at large, and embedding that reality in the way the firm works and operates.

This is the psychological ground on which calls to action can be built, effectively leading to employees taking active steps to protect the firm from cyber threats.

Most people would naturally protect what they care about, and it is that sense of care that needs to be created or nurtured.

Change – in this instance, change in attitudes – rarely comes out of creating a sense of urgency around it, as Greg Satell has rightly pointed out repeatedly in many of his articles: It comes from creating a sense of safety, in this instance the sense that taking specific steps to protect your employer from cyber threats is culturally right, because it belongs to a set of values the firm and its management embody, values which you endorse and also believe in.

Of course, this is harder that distributing leaflets, putting posters on walls or pushing box-ticking online courses, and it requires a positive culture to function, not a toxic one.

Don’t expect any of this to work in firms where employees constantly see their bosses flaunting the rules and holding them accountable at the sight of the first breach.

It can only work if it is driven firmly from the top without ambiguity or hesitancy: Business protection values and their place at the heart of the corporate ethos have to be visible constantly at the top of the organization.

It takes a strong sense of leadership from the top, and of course a genuine belief that business protection – from cyber threats and all other threats – is simply a pillar of value creation, that it protects shareholders, customers, employees, and in the case of critical operators, society at large, and that it has simply become a basic matter of good management and of good business.

 

JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.