Building a Security-Minded Culture

by Noah Gallo


W e know that threats like ransomware can go undetected and do damage for months before detection, even in top-performing organisations. It’s one of the reasons why many employees are unable to detect when their computers are compromised. Naturally, companies must implement practical steps to create an “actionable” knowledge base among employees to ensure that gaps in such employee awareness will be reduced. The points listed below are a few tips companies can enforce to build a security-minded culture in their organisations. 

Mobilising Organisational Resources for the Collective Good to Prevent Cyber Attacks
Security awareness is more about collaboration than teaching. When the user community feels informed about the cybersecurity threats, how it impacts them on an individual level, and current attacks affecting their organisation, they take a vested interest in the role of the development of a strong security culture. 

Chief Information Security Officers (CISOs) recognise that without the help of every employee in the organisation, security breaches, including malicious attacks and other potential issues, will continue to rise. With the increase in cybersecurity threats, most legacy detection and response strategies will falter. Even the most tech-savvy users still pose a security risk to the organisation.

Preparing for Tomorrow’s AI Attacks, Today
Hackers, leveraging artificial intelligence (AI) similar to organisations’ Security Operations (SecOps) teams, have used tools to increase their cyber-attack velocity and effectiveness. AI-based ChatGPT attacks have created near-flawless email phishing attacks, deep fake voicemail messages, and cleverly written SMS messages to the users’ mobile devices. The AI threat continues to grow each day, with hackers using these tools to increase their existing threat vectors.

SecOps would disclose portions of the attacking artifacts to the C-level leaders, risk management, and legal. Rarely would SecOps share details with the user community, except if one of them became a victim of the attack. This lack of sharing can create a security gap in the organisation enabling the attacker to launch the same attack on multiple users.

Creating User-Facing Cybersecurity Dashboards; Creating an Actionable and Proactive Culture
SecOps teams wanting to share the good, the bad, and the ugly of real-world cyber attacks have made a positive shift by developing dashboards for the user community. Users, always curious about the secret world of “cyber”, are deeply interested in knowing if the organisation is getting hacked and by whom. CISOs recognising this perfectly normal curiosity could use it to benefit the organisation.

Exposing what the organisation faces creates a collaboration culture and mobilises users to participate in a cybersecurity strategy. Information sharing and providing non-technical explanations to the user community help raise awareness about security risks.

Shifting from an Authoritative to a Collaboration Partnership
Organisations recognising the challenge with the user acceptance of security controls and policies learnt firsthand what happens when users choose not to follow these elements.

● Users inadvertently click on malicious links embedded within phishing emails without taking the time to read emails before clicking, leading to credential theft and ransomware propagation. 
● Users download malicious content from websites and believe this piece of content is just another PDF document or an excellent application for their iPhone.
● Users are reusing their passwords for both personal and corporate email accounts. 
The risk of the users within the organisation should never be underestimated. SecOps and IT engineering can deploy adaptive controls, including:
● AI-powered, cloud-based email security platforms to help automate email encryption, DLP, inbound email filtering, and outbound data protection. 
● Endpoint security with XDR integration. 
● SASE/Zero Trust for secure remote access and wide-area network optimisation. 

Even with these automated enterprise security solutions in place, the need still exists to develop a collaboration strategy by creating a cybersecurity culture that respects the diversity of the user base while protecting the corporation’s assets and people. 

Developing a Sustainable, Agile Cybersecurity Culture
If security culture is a critical, need-to-have asset in the security toolbox, what can IT leads and business executives do to ensure that organisational and IT policies and training programmes become aligned with the constantly changing cybersecurity threat landscape?

CISOs working with their IT counterparts need to develop cross-functional collaboration, not a silo or island approach from the past. Cybersecurity is everyone’s responsibility. Changing the cybersecurity mindset and moving the organisation to more interactive long-term security behaviours must be prioritised by management.

Every member of the organisation needs to be an active participant in the cybersecurity operation plan. Users, SecOps, CISO, CIO, and other leadership team members must invest the time and effort to learn their role in developing this new culture. Does the organisation budget for cybersecurity training, capabilities, and monitoring services? Does the organisation actively recruit experienced talent for the SecOps teams? Having executive sponsors, a budget, and alignment with the business strategy is essential for every aspect of the organisation. Every department needs to become an active participant in the cybersecurity strategy. This is not just an IT issue anymore.

Enabling Cyber Warriors through Open Communication, Partnership, and Trust
Developing cyber warriors within your organisation is like any other relationship. This process requires trust, open communication, and constant positive reinforcement of the core message to all the users that their actions will make a difference.

The security team and members of the IT department created previous cyber policies and training regimens in a silo. In the past, several secondary groups in governance, risk, compliance, human capital management, and legal contributed to creating the policy and training content. Many of these legacy policies would result in low user adoption and acceptance.

When CISOs and risk management teams develop user policies and training strategies to develop these internal assets, what is the best strategy to achieve this goal?

Many off-the-shelf cybersecurity training programmes continue to be challenging for organisations to justify the cost, partially because of the low adoption rate by the user community.

Why are CISOs discovering a shallow adoption and acceptance rate by many users? If the users do not recognise the valid reason they should care about the “mandatory quarterly training”, they will continue to resist and put less effort into supporting corporate security. 

What causes this resistance and lack of adoption by the user community for these essential elements to help prevent cyber attacks from affecting their work life?

Innovation and Collaboration while Promoting Participation
People need to feel like a part of the process. The organisation’s comprehensive security programmes need to change from a top-down mandatory mandate to a system promoting collaboration through knowledge sharing, gamification, mentor programmes, rewarding users for making the correct cybersecurity choices, and granting access to the users to see what the organisation faces every day when someone clicks on the wrong link.

This strategy will help build and sustain a cybersecurity culture throughout the organisation at all levels while educating every employee on the need to be an active participant in the cybersecurity operation plan.


Noah Valle Gallo is the Sales Director at Trustifi