Good cybersecurity extends far beyond your cybersecurity function.

Strong cybersecurity isn’t confined to your SOC, your security stack, nor the operations your CISO oversees.

Cybersecurity is everyone’s responsibility.

From entry level to C-Suite; from clerical roles to more manual, hands-on work; from those in the office to those on the road; everyone that makes up an organisation has a part to play in keeping that organisation cybersecure. That includes freelancers and contractors too!

Though a lot of focus gets put on technical implementations in order to maintain cybersecurity, it bears repeating that cybersecurity requires cultural, people-focused change too.

And that’s what makes creating a security-focused culture so difficult. It’s easy to implement a technical tool and switch it on, but it’s far harder to change people’s hearts, minds, behaviour, attitudes, and muscle-memory.

So let’s explore 5 essential considerations that should go into fostering a positive cybersecurity culture, instil good cybersecurity behaviour, and support everyone in doing so. But first:

Why is Creating a Cyber-Secure Culture Essential?

Because nowadays, cybercriminals are less focused on circumventing cybersecurity protections using tech know-how, and much more focused on using human psychology, habits, and empathy to find a way to do damage. This is called “social engineering,” and when this is done via email, it’s called “phishing.”

According to the UK Government’s Cyber Security Breaches Survey 2023, phishing and impersonation attacks are by far the most common type of attack suffered by British businesses and charities (Source: Fig 4.2).

These attacks can be surprisingly sophisticated and believable. It’s therefore essential that your teams understand the risks and know how to keep themselves, and the whole organisation, safe from attack.

This article isn’t intended as a blow-by-blow account of how to fully secure your organisation. Rather, it provides some essential considerations for C-Suite executives and hiring managers around building a collective approach to cybersecurity that protects – and involves – everyone.

5 Essential Talent Considerations for Building a Cyber Secure Culture

Staffing, Retention, and Culture

There’s a lot of buzz around “hiring on cultural fit” – and rightly so. Establishing how well this relative stranger is going to gel with their potential colleagues, how they will approach their work, and what potential they bring is crucial.

However, personally, I’d also investigate how cybersecurity savvy they are. Considering the scale of social engineering attacks, the eye-watering ransoms, and the humongous fines being reported, it’s well worth assessing an applicant’s security knowledge (or their willingness to learn and abide by good security know-how) before hiring them.

Effective background checks are essential for all applicants, but they’re non-negotiable when you’re hiring within the organisation’s security function – especially given that some cyber pros moonlight as cybercriminals to make ends meet! It’s another reason to monitor staff sentiment, keep your teams happy, and pay them well.

Finding applicants that fit your culture and tick all of your security boxes can be quite the chore – and that’s where specialist recruiters can really help out. Proactive recruitment agencies like Bestman Solutions get to know each candidate and their place in the market well, and seek to understand the human behind the resume! A good recruiter’s input can further help you hire on attitude and potential.

But let’s zero in on hiring within the cybersecurity function for a moment. I’m firmly of the opinion that a diverse security team is a much stronger team than one that’s a little more homogenous. When people have different experiences in life, they are more likely to have different attitudes to risk and threats, and therefore bring different, valuable perspectives to the security function.

And I’m not just talking about diversity along gender, race, and LGBTQIA+ lines. For example, there are numerous examples of military veterans making excellent cybersecurity personnel. They’ve already been trained to keep a cool head under (often literal) fire, they’ve worked in a high-stakes environment, they’re experienced team players, and often have a strong sense of duty.

Let’s not forget about different levels of corporate cyber-maturity either. Organisations in commonly less cyber-mature niches (such as, rather worryingly, healthcare, banking, and industry) may benefit by hiring candidates from more cyber-mature spaces to help “bring them up to speed.”

But once new hires (or new contractors) come on board, there’s still work to be done. Create a solid, auditable onboarding process to ensure that all newbies are on the same page. This can include them signing all relevant agreements, being shown emergency evacuation points, and (most importantly for this article) that they’ve completed your mandatory cyber-awareness training and have signed your IT misuse policies. When this process is applied as a template for all new hires to follow, nobody slips through the cracks.

Thorough and regular cyber-awareness training shouldn’t just be for new hires though – everyone should receive it, regardless of whether they use an internet-connected device in their daily work or not. Cleaners, warehouse staff, office juniors, middle managers, the C-Suite: EVERYONE, across all departments, should receive cyber training that’s relevant to their role.

Self-Awareness & Humility: Essential Leadership Traits

The CISO is there for a reason: to lead and champion the cause of cybersecurity throughout their organisation.

But sometimes, organisations can unwittingly create roadblocks for any CISO trying to carry out this mission. In my experience, these blockers follow three general themes.

The first type of block can simply be the CISO’s immediate reporting lines. Despite the “C” in their title, surprisingly few CISOs actually sit on the board – in fact, many report to the CIO, especially in the UK. These degrees of separation from the board can hinder the CISO’s ability to champion security to an organisation’s ultimate decision makers. Incompatibilities between the CISO’s function and that of the CIO/CTO can further frustrate matters.

The second potential block for any CISO is that of permitted autonomy. Sometimes, other leaders within the organisation need the humility to recognise that the CISO is an expert in their field, and that this is the person standing between them and cyber-ruin. Whether that CISO is in-house or an external resource, the other leaders need to put their faith in that expert and work seamlessly with them on a plan to embed security culture. Cyber security is far too important to be held back by ego!

Having the self-awareness to put your hands up when you need external help is a great trait to have as a person – and it’s an excellent trait for any executive board to cultivate too. Though the board are undoubtedly experts in their fields, no leadership team will ever be experts in all things – especially particularly nascent issues like cybersecurity. The board needs the humility and wherewithal to know when they need to seek help – regardless of the topic.

The third blocker I’ve observed is one of organisational clarity. When any kind of transformational change is happening, it’s important to lay out who is responsible for what. The wider security function within larger organisations may be spread across GRC, IT, and SOC functions, so responsibilities need to be clearly apportioned to each. Having a vague, fragmented matrix of dotted and dashed reporting lines creates confusion and may result in finger pointing if/when failure happens.

Change is Hard, So Manage it Properly

Creating a cyber-aware culture might seem like a no-brainer, but it can actually be a lot more difficult than it sounds.

Asking your teams to adapt to a new way of doing things in the workplace can commonly result in worry, confusion, and resistance. Why? Because change is difficult. When a team gets used to certain comfortable practices and processes, the prospect of changing that can feel rather unwelcome.

Therefore workplace change of any kind can result in opposition – even something as positive as making the organisation more cyber-resilient.

Training for meaningful cyber-aware behaviour change runs a lot more deeply than simply training people where to click within a new piece of software. You’re teaching them to think far more critically than ever before about the messages they receive online. You’re teaching a new habit, and habit-forming can be a difficult mountain to climb – just look at 67% of gym memberships going unused!

Resistance to change often comes from a fear of the unknown or the unfamiliar. And change can’t happen if it isn’t communicated well. So the best way to address these points is to communicate what is happening, why it’s happening, how it’s all going to work, and paint a picture of the demonstrable benefits everyone will enjoy as a result. Really lay all expectations out in black and white.

But this communication should go a little further than the “what, when, who, where, why, and how.” Explain how making the organisation more cybersecure will enhance shared values. For example, when I interviewed experienced security leader Stephen Khan, he said:

“It is important to ensure an alignment of values and core principles between the organisation and its employees. If people don’t feel that they are aligned, they can’t enact positive change or support the organisation in its vision and strategy.”

 

As mentioned previously, nobody should be exempt from your cyber-readiness drive. Encourage your board to vocally advocate for your cyber change programme, and to act as “role models” for the change – bonus points for leaders who aren’t related to your tech function. After all, culture is led from the top!

You may also need to communicate change differently to different teams. For example, more clerical teams may fully understand and encourage the need for a security drive, but those in more manual, less clerical roles might wonder why they have to be involved. These two types of worker will likely need different comms in order to get them on board.

All Leaders Should Be Aware of Emerging Threats

Whether your organisation has a mature security function or not, this tip should be non-negotiable. All leaders need to keep their finger on the pulse of cybersecurity threats, not just the techie ones.

Just as your more financially focused leaders may keep an eye on how the stock market or the global economy is performing, so too should they keep a watchful eye on the cyber landscape. There’s a lot of potential financial losses out there, after all! Let’s explore a few common risk themes.

Supply chain attacks show no sign of slowing down. Gartner predicts that 45% of organisations will have experienced attacks on their software supply chains by 2025 – that’s a three-fold increase from 2021. Each department has its own software and supply chains, so each department head and/or CXO should be aware of their supply chains – in both directions – and the risks they pose.

Leaders should also unavoidably be made aware of attacks that single them out due to their seniority. Whaling or whale phishing attacks are impersonation attacks exclusively targeted at high-level execs like the C-Suite, with CEOs and CFOs especially in the firing line. These roles are chosen because they often have a lot of influence, spending power, and sensitive information at their fingertips. All the more reason that EVERYONE needs cyber training!

Leaders should also keep their finger on the pulse of staff sentiment. Of course, keeping your employees happy, well, and satisfied makes good business sense. But staff unhappiness – even just one disgruntled team member – can become an insider threat, presenting a significant risk to an organisation.

Also maintain an awareness of your teams’ technical needs, as when left to their own devices (pun definitely intended) they may start using their own, potentially risky hardware and software with your sensitive data.

Cyber threats, and the cyber security needed to combat them will never be set in stone either. Crime never stays still, especially online, so your organisational cyber risk will need regular reevaluation.

Where Does Technical Security End and Where Should User Wisdom Begin?

Cyber and network security tools are better than they have ever been and are getting better every day. They keep the “low-hanging fruit” threats at bay, and help your staff enjoy a somewhat threat-free environment.

However, they aren’t omnipotent sentinels that hunt down all cyber baddies in your digital spaces. They have limitations and gaps between their defensive coverage. They are subject to the same “garbage in, garbage out” fallibility as other IT solutions. And some can easily be circumvented with a spot of social engineering.

It’s therefore essential that your SOC understands where your security technology’s scope begins and ends. With this in mind, they can fill any defensive gaps with other tools or with habit-forming cybersecurity training.

But take care around how you communicate this. The intention is to give your teams enough information to create new habits and keep the organisation safe – not to give them an in-depth guided tour of your cyber blind-spots. After all, you don’t know who might be planning an insider attack or even listening through a bugged device.

Conclusion
If there’s one theme to all of this advice, it’s likely “self-awareness.”

Know your security abilities and limitations. Know what your people are likely to need from you in terms of cybersecurity and what you need from them; both in the present and the future. Security is a mutual, symbiotic relationship, after all – the business is protecting its employees and the employees are protecting the business.

Yet it’s also important to know when you need to call in external help to achieve your security mission.

So if you’ve identified a need for a security leader, then know that Bestman Solutions are here to help you solve any senior security staffing issue. Whether you need someone full time, part time, or a freelance fractional CISO, then get in touch with our friendly team.

Back to Publications

More Publications

Were you aware of these Cybersecurity awareness days?

Read more

Bestman Solutions Sponsors Pulse Conferences’ 8th CISO 360 Global Congress

Read more

10 Probing Questions for Senior Executives to Ace Their Interviews

Read more