A Holistic Approach to Creating the Ideal Cybersecurity Culture

Daniel Krebs, CISO & Deputy Director, Information Services, County of Monroe, NY

Cybersecurity culture; challenges and part of a solution

You’ve heard it before, “The human firewall”, “The first and last line of defense”, “The best cybersecurity investment,” and those phrases are as relevant as ever, after all:

“The human element continues to drive breaches. This year 82% of breaches involved the human element,” according to the 2022 Verizon Data Breach Investigation Report.

Upholding our organizations’ cybersecurity is part of every employee’s responsibility regardless of the job role.

Engraining that mentality, that awareness of privacy and cybersecurity risks like phishing and unsafe browsing, is critical to the entire cybersecurity posture within every organization.

The challenge

How can we increase our organizations’ cybersecurity culture? How do we do that?

Developing the right cyber culture is very much a consistent and long-term effort, with very few metrics to show progress for your initiatives. Couple that marathon mindset with the constraints on hiring and employment in the government space, it is no surprise why this daunting task doesn’t rank as high as it should in our daily shuffling of priorities and resources.

Articles with guidance can vary significantly from general advice like “Start from the top down”, or “Have a security awareness program”, to down-in-the-weeds technical proposals like “Ensure users can only access what folders they need.”While those are all good advice, the truth is, getting cybersecurity right for your organization’s culture is not a one-size-fits-all model.  There isn’t cyber-culture specific, official guidance from federal agencies like NIST or CISA on how to elevate cybersecurity attitudes and behaviors in the workplace. Picking and choosing strategies is critical to build that culture, but also complicated. Who has the bandwidth to spend on efforts with no return, so what actions or strategies are high return investments on improving cybersecurity culture? The basics; Acceptable Use Policy, Cybersecurity training and Phishing testing, are obvious, but the ongoing effectiveness of those standards plateaus early.

Solutions: One practice

One of the best returns is all about active, conscious engagement, and that doesn’t have to be as complicated as you may expect.

“Crafting an engaging cybersecurity all-staff newsletter is one simple and effective technique that will improve cybersecurity culture for any program”

Canned training and policies are forgotten as quickly as they are clicked-through, but putting a voice or a picture to a communique adds a mental association. My favorite tried and true strategy for simple engagement?

The Cybersecurity All Staff Newsletter

Creating a friendly, all staff newsletter email not only shares pertinent cyber information, but also keeps the cyber conversation alive. There are still some questions to consider; whom should the email reply-to be? What cadence should they go out monthly? quarterly?  Or even weekly during October (Cybersecurity Awareness Month).

Some tips to help you start with include:

• Create a reusable template.

• Cyber Content:

- Something happening in your company

- Something useful in their daily lives

- Something relevant, local, probably scary

• Add humor, even bad humor, or pop culture references.

• Insert pictures – How many words are they worth.

While everyone will agree to the value of improving the cybersecurity culture, there are not any clear-cut, one-size-fits-all programs for how to accomplish that. There are many sources offering guidance and practices, but most are trial and error efforts. Crafting an engaging and personable cybersecurity all-staff newsletter is one simple and effective technique that will improve cybersecurity culture for any program.

Firewall