Kim Crawley - 8 Steps to Better Security

All security controls are useless if it is ignored. Good security is usable security. Good security is adopted security. The starting point, then, is empathy and kindness for the people we are charged with defending.

Daniel Chromek is CISO for ESET, a major developer of antivirus software and various security products. I believe that everyone in your organization needs to develop good security habits. Here's what Chromek told me about that:

I would stress the word everyone . I'm in a better position compared to my peers (CISOs of other companies, including those outside of the cybersecurity industry) as we are a security company. This means multiple things. It's easier to explain to my business managers, as they natively understand that “we are a security company” means our brand is based on the security of the company. And even people in departments that don't need to understand security management understand that branding is important.

Security culture means that part of awareness training is decentralized. If someone is targeted by phishing, then they can speak to a colleague in the same room (now virtual) and ask them to take a look into it instead of going through an IT ticketing system.

People aware of security can smell if they are being deceived by FUD, so the communication from the security team needs to be straightforward. (Both Merriam-Webster and Urban Dictionary define FUD as fear, uncertainty, and doubt.) Also, security-aware people can point out bad (security) control selection or implementation very quickly by replacing auditors or specialists.

Of course, the security culture is not a replacement for security controls, but it helps in all kind of controls, even unpleasant ones.

As with all the work you must do to keep your company secure, establishing and maintaining a strong security culture isn't a project you set then forget , as some infomercial spokespeople love to say about their As Seen on TV products. It's a constant, everyday process. It's something you build and maintain over the years. And if you neglect it, it will die. I love cybersecurity expert Bruce Schneier's ideas, so I'll quote him again as I often do in my writing:

Security is a process, not a product.

As I've mentioned, a strong security culture doesn't stop at your IT department. Every single person in your organization, from the bottom of the corporate hierarchy to the top, must be part of it.

Everyone in your company is relevant to your cybersecurity in some way or another. Your employees and contractors use your computer network, whether they're in the company workplace or working from home. Security guards and receptionists control physical access to the buildings that contain your computers. Your other employees could also mistakenly or deliberately let someone in your building who doesn't belong there, granting a possibly hostile entity physical access to your computers.

Every single thing your company's employees do with your computers, networks, and buildings can affect your security posture in a positive or negative way.

A strong security culture begins when everyone understands how they can affect your security and they are willing to be accountable for that. Next, you need to promote security awareness. As with everything security-related, security training isn't something you should do only once. People in your organization need frequent security training and reminders about proper security habits.

One of the most important things you can do is to train your workers to resist social engineering attempts. Explain what phishing is and the various ways it can manifest through phone calls, text messages, emails, web pages, and social media posts. Teach them that cyberattackers could pretend to be a person or company they trust, and to engage in healthy skepticism. And you must support that skepticism by reminding them that they won't be reprimanded for questioning if your chief executive officer (CEO) or tech support workers are who they say they are when they phone, email, or text message them.

Your email servers could have robust antivirus software that scans all email attachments that go through the system. Nonetheless, no antivirus software is perfect. Malicious email attachments are one of the most common ways that cyberattackers acquire unauthorized access to computer systems. So, part of your company's regular security training should be a reminder to only open email attachments that they expect to receive, from senders they're familiar with.

You probably detect a pattern here. Whether information is communicated over the phone or through your computer networks, your people must remember to be cautious about who they grant access to, and to what those people have access. There are lots of different lessons you must frequently teach your workers, but they're all extensions of that theme. That's what security awareness is all about, the bedrock of your security culture.

Helen Patton teaches information security at Ohio State University. She shared some security awareness training tips with me:

Awareness training should be broader than just the company's data, with the theory that they will more likely apply security skills to stuff they care about first (family, friends) and then bring those habits to work too.

Awareness training should be about building advocates, not just partners. Reward them for good security behaviors—visibly, loudly. Don't punish for bad behaviors—naming and shaming just breeds anti-security workarounds.

So, those are the ideas you must encourage your people to remember. But how can you motivate them to be engaged? Well, as much as my love of cybersecurity knowledge drives my career, money is one of my main motivations. I have no interest in becoming super wealthy, but I need money to pay my bills and buy food, video games, and Demonia boots. I'm not unusual, except perhaps in my taste for footwear. People do well in their jobs because they want and need money, a necessity in our market economy. Security Journey CEO Chris Romeo also sees money as a useful motivator to get your employees to do good things for cybersecurity:

When someone goes through the mandatory security awareness program and completes it successfully, give them a high-five or something more substantial. A simple cash reward of $100 is a huge motivator for people and will cause them to remember the security lesson that provided the money.

I discuss how to build a security team in step 2. But yeah, dangle a monetary carrot in front of your workers! It won't hurt to give that a try. And as Romeo implies, $100 is much cheaper than a data breach!

Here's some more advice for fostering a strong security culture: make security awareness and training fun. In my writing, I convey my emotional and enthusiastic personality. I also get silly sometimes. I know that by writing that way, I can retain your interest and attention more effectively than if my writing was dry and boring, like in a lot of technical documentation and textbooks. If you find security concepts to be exciting and fascinating, you can express that attitude in how you conduct your security training and reminders.

It may help to quiz your employees about security in the style of a game show. Maybe you can search Randall Munroe's archive of xkcd web comics and find the perfect comic strip to complement a security concept you're teaching.

Be creative with how you present security knowledge and encourage good habits in a fun way. If you feel that your imagination is lacking, there's probably a creative thinker in your company who can help you with this.

Train your workers regularly, and give them frequent reminders of how they can work and interact with your computer systems in a more secure way. Now you're well on your way to fostering a strong security culture. But before we move onto step 2, there's one more thing I'd like you to keep in mind.