Building a Cybersecurity Culture: Protecting Your Business from the Inside Out

For a 21st consecutive year, October has been declared National Cybersecurity Awareness Month. The month-long initiative is designed to raise awareness in helping both businesses and individuals protect themselves online from the many threats that seek to target their technology infrastructure and their personal or confidential data. Building a cybersecurity culture, one that puts protecting their data and information front and center, is a year-round effort of course and today we’ll explore steps to ensure your organization is embracing this approach. 

But first, National Cybersecurity Awareness Month was created in 2004 via partnership between private organizations and the federal government. Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) lead a collaborative effort between industry leaders and the government to direct the initiative. The theme for 2024 is Secure Our World and aims to remind everyone there are simple ways to better protect yourself and your business from online threats. Key points in this year’s effort include highlighting the need to: 

• Use stronger passwords and/or a password manager 

• Turn on multi-factor authentication 

• Recognize and report phishing 

• Regularly update software 

All of these points are critical in building a stronger cybersecurity culture as well. Below, our team of experienced CISOs at Inversion6 provide more insight for how any organization can take steps immediately to push these efforts further. Let’s get started!  

Make Sure Your Business is Protected: Connect with our cybersecurity experts to get started on your tailored security solution today.   

How to Further Hone Your Cybersecurity Culture 

What are the biggest challenges in building a strong cybersecurity culture, and how do you address them? 

The biggest challenge is often not the technology, but getting people engaged. It is imperative to convert the organization from “Security is IT’s responsibility” to “Security is everyone’s responsibility”. Security, ultimately, is a shared responsibility. — Chris Prewitt, CTO 

How do you foster a cybersecurity-first mindset across different departments within your organization? 

It's cliche and hard to do, but fostering a mindset is about building relationships. One of the biggest challenges as a CISO is falling into the trap of trying to "rule from on-high" by creating secure operating rules and focusing on enforcement. Rules are needed to set expectations. Enforcement must happen to close gaps and ensure accountability. But spend time to understand what's happening in the business units and departments — what's working with technology, what's not working, where's the risk, what's the level of cyber awareness.   

Even now, most leaders don't understand the threat landscape. They don't understand that everyone's a target. They don't understand that malware, phishing, and ransomware have been turned into service offerings. The best way to help them understand isn't with a 30 second video or a mandatory compliance slide show. It's by investing the time to understand their work and sharing what's relevant about yours. — Craig Burland, CISO 

How do you balance technical cybersecurity measures (like MFA or password policies) with educating employees on day-to-day cyber risks? 

The simple answer is the more important an account is to you the more you need to have a strong/unique password and MFA enabled. For example — your bank account: I would strongly recommend that you have a long and unique password to access your account and I would absolutely recommend having MFA enabled to provide extra protection. On the other extreme: if you buy a pair of socks off a web site and they require you to set up an account — I would still recommend setting up a unique password (who knows how good their security is) but you might be alright without MFA. I would also recommend not saving any credit card information on any sites either. — Jason Middaugh, CISO 

In your experience, how does promoting a strong cybersecurity culture help mitigate insider threats? 

When awareness is done right, you build an “army of human sensors” throughout your organization…one that is arguably more effective than any piece of technology. The people in your organization inherently know what “normal” looks like in their area of responsibility, which means they can identify abnormalities fairly easily. 

What humans are often not great at is feeling responsible for raising a fuss about something abnormal, especially if it seems somewhat benign. The security team needs to help employees understand how important reporting even small abnormalities can be, and be prepared to investigate them. With insider threats in particular, it is far less likely they will trip internal technical control — by their nature, they are employees using access they have been entrusted with. We become very reliant on our employees reporting abnormalities, and managers reporting employees who may be in a situation that puts them at risk for becoming an insider threat. — Chris Clymer, CISO 

How do you ensure cybersecurity becomes an ongoing conversation, not just an annual training session? 

One thing I've been accused of doing as a CISO is to always be engaged in discussing cybersecurity topics with your organization. Mea culpa.   

One idea to keep cybersecurity as an ongoing conversation, which has worked well for me, is to reserve 5 minutes at the beginning of every weekly IT operational meeting. Use those five minutes to give a cyber risk landscape picture, then address/remind people of your top risk and your current mitigation efforts. 

One tool that helps you with this approach is to build a monthly topic map, and talk to those topics. A good idea is to take your historical map of incidents and use those as reminders of when to expect attacks (e.g. US tax deadlines mean attacks on W-2 data in February).  A measure of your progress will be how many, "Hey, tell me more..." conversations you get after your first month. 

The bottom line is that the cybersecurity team needs to be regular promoters of the "why" of cybersecurity efforts for your organization. — Thomas Siu, CISO 

What role does leadership play in modeling good cybersecurity practices, and how does that impact the company culture? 

Leadership is critical to the development and implementation of any program to be successful in the business world today. From a cyber security standpoint, one of the key aspects that leadership plays in communicating to the organization is that cybersecurity is not just an IT issue, but that it is a business issue that affects every aspect of the business. As leaders, it is our responsibility to set the tone for the rest of the company and demonstrate their commitment to protecting and managing the most critical assets and information.  The leadership in the organization is how cybersecurity is prioritized and made part of the daily operations, this then allows a culture to be developed where cybersecurity permeates throughout the organization. 

When employees see that their leaders are taking cybersecurity seriously, they are more likely to follow suit and adopt best practices themselves. Benefits of this type of leadership include the implementation of a strong cybersecurity practice, that helps to protect their sensitive data and intellectual properties from theft or damage. This helps to maintain the trust and confidentiality of their customers, partners, and stakeholders. Additionally, a strong cybersecurity practice can help to prevent costly downtime and reputational damage in the event of an incident. All of these items are under the purview of the cybersecurity leadership hence the importance and value in that role. — Damir Brescic, CISO 

What are your best practices for keeping employees engaged with continuous learning and updates in cybersecurity? 

To keep employees engaged with continuous learning and updates in cybersecurity, it’s essential to make training interactive and relevant. Use real-world scenarios and simulations to demonstrate the impact of cyber threats. Regularly update training materials to reflect the latest threats and best practices. Encourage a culture of security by recognizing and rewarding proactive behavior. — Jack Nichelson, CISO 

What to Look For: You recognize you need a managed security services provider, but don't know where to start. Discover what to look for in an MSSP here. 

Get the Tools to Improve Your Cybersecurity Culture with Inversion6 

When it comes to improving your organization’s mindset and approach to cybersecurity, Inversion6 provides the experts that can help drive those conversations and create real change. Our team of CISOs pull upon their real-world experience in the private sector — no life-long consultants here! — to deliver the insights you need to find security solutions and communicate their importance.  

You’ll need more than advice to create a better cybersecurity culture and you should address such issues much more often than one month a year, naturally. Inversion6 has created customized security solutions for our clients — tapping into our expertise, leading-edge technology partners, and experience — for more than 30 years. Whether you need a comprehensive solution that covers everything, or something more specialized that delves into aspects like autonomous pentesting or conducting tabletop exercises, we have you covered. 

Need to improve your organization’s cybersecurity culture? We can help. Schedule a consultation today to learn more.