How do I Create a Cybersecurity Awareness Culture?

Written By Todd Mitchell

Lead by example, set written policies for others to follow and hold training so they all know what to expect and what is expected of them.

As a business owner in an organization the best approach is a top-down one with leading by example as the main goal. The culture must be made to accept new policy directions, take the time to put proper controls in place, and allocate the resources to implement and monitor those controls (Worstell, 2014). If the entire culture of the organization from the top down is accepting of a project slipping schedule to implement the latest cybersecurity controls it will be more successful than an organization that frowns on the project officer and urges them to cut corners to meet deadlines.

My own organization has built a culture based on providing a secure product. Therefore, the culture allows a project the time and resources to ensure all controls from the NIST SP 800-37 are in place and tested for verification prior to delivery. This is possible because the entire culture is aware of the risk associated with designing a system that has un-mitigated vulnerabilities (National Institute of Standards and Technology, 2015). We are renowned for cybersecurity of its systems by verifying and validating all source code and running penetration testing in a secure cyberwarfare test bed.

Lessons learned from any cyberattacks are researched for best practices and disseminated widely throughout the business in order to be implemented wide scale. Employees are trained on best behaviors to enforce the culture.

References:

National Institute of Standards and Technology. (2004, February). Standards for Security Categorization of Federal Information and Information Systems. Retrieved from http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

National Institute of Standards and Technology. (2015). Computer Security Resource Center. Retrieved from Computer Security Division: http://csrc.nist.gov/publications/PubsSPs.htm

Worstell, K. F. (2014). The role of the CISO. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (6th ed., pp. 65.1 - 65.20). New York, NY: John Wiley & Sons.

Todd Mitchell
Previous

What is a CISO? What are they Responsible for?
Next

Who has Liability for the hack of your customers data?