4 ways to build cybersecurity best practices into your organizational culture

Click source

When people think about business, they often think in terms of products and services offered. When employees think about business, they tend to think of it more in terms of organizational culture and what the organization offers in exchange for joining the team.

But unfortunately, many organizations overlook the benefits a great organizational culture has on success and sustainability. It’s no longer just about mission or vision statements. It’s no longer just about salaries or health benefits. While still important, today’s most successful organizations are stepping back and taking a look at the bigger picture—the impact a great culture has on employee attraction, retention, customer engagement, and vendor and partner relationships.

While employee satisfaction is certainly an important part of building organizational culture, there are other critical factors that are often overlooked and that have significant potential to impact operations short and long-term—cybersecurity and compliance.

For a long time, these areas have been seen as just technical components of doing business. Something the people in those roles and with those skills should focus on, while everyone else takes care of day-to-day business.

Yet, building cyber hygiene and compliance best practices into your culture—that way of doing business day-to-day, can have tremendous positive impacts on your organization’s ability to sustain itself and scale in the future.

So, what can you do? Here are four ways you can build cybersecurity best practices into your culture:

  1. Make it less technical

Often, people look at cyber and compliance issues as something your technical team members tackle and no one else has to think about. Yet, true resilience includes all of your employees—regardless of their role—as well as your key stakeholders, partners, and customers. That’s often because these areas rely on terminology and other factors that often make it too difficult for other employees to understand. As a result, many employees look at cybersecurity as an issue someone else will take care of.

Tip: Move away from technical jargon. Understand most employees don’t understand things such as vulnerabilities, misconfigurations, ransomware, and phishing. Instead, speak to your employees in a language they understand. Explain how certain employee actions, for example, clicking on a malicious link or downloading a malicious file can have a negative impact on the organization, but even more intimately on the individual’s role within it. Explain that these things aren’t just what’s required, but how it contributes to overall individual success, and as a result, organizational sustainability as a whole.

  1. Educate, train, and educate (and train again).

Far too often, organizations face big—and expensive—messes when employees unknowingly or haphazardly do things that increase organizational risk. That’s especially true when it comes to adhering to basic cyber hygiene best practices or meeting compliance requirements. Decrease the likelihood of a security or compliance issue by ensuring your employees know what’s expected of them.

Tip: Build cybersecurity training into your organization from the ground up. That begins with orientation and onboarding, but shouldn’t stop there. Your employees should receive refreshers at least annually, if not more frequently. But don’t just talk about these issues at a high level. Personalize your training and education programs to demonstrate the impact they may have on individual roles and departments, as well as overall operational resilience.  

  1. Get executive support.

It’s challenging to develop and mature programs within an organization when the C-suite, board of directors, and other key stakeholders don’t understand what you’re doing and why it’s critical to success. Seek executive support for your programs. Routinely meet with your executives to ensure they have a clear understanding of what you’re doing and how it aligns with business goals and objectives.

Tip: Find an executive sponsor. While you can routinely meet with your executives and board, you may find more success by finding an executive sponsor for your program. Your sponsor can help bridge the gap between the technical aspects of your program and your business goals. They can help you speak with your key stakeholders in a language they understand and can front-line build the support you need to ensure program success. 

  1. Make it fun!

Admit it. How many times in your career have you gotten a notice of mandatory cyber or compliance training and grimaced about the time you have to take away from your job just because you’re told you have to? Can you retain what you’ve learned once you complete that training module? To ensure your employees understand why these programs are an important part of organizational culture, make your training and education programs fun! The more your team members can connect to what you’re talking about, the more likely they are to retain the information you give them.

Tip: Get rid of boring webinars and static PowerPoint presentations. Make your training and education program fun. Go on-site and conduct training remotely in a way that engages your employees. Don’t just talk to them, talk with them. Explore ways that each employee can think about what they’re learning and how it applies to the work they do each day. Make it competitive and offer rewards/awards for employees who successfully apply their knowledge to the work they do, especially when they successfully uncover a potential cyber or compliance issue.