Recently, we brought together CIOs and IT leaders for our ‘CIO/CISO Roundtable on the Thames: Navigating through uncharted waters’ event in London. Over 40 CIO/CISOs and IT leaders came together to network and discuss issues keeping them up at night.
Of course, the conversation between technology and cyber professionals was enriched by wine, food and a fantastic view of the River Thames. Plus we were thrilled to be joined by former Arsenal F.C IT Director, Christelle Heikkila who gave a thought-provoking keynote speech to kick off the event on the challenges of changing cyber security culture and reaping the benefits when done right.
She explained that plenty of people are ‘cyber security aware.’ At the organisational level though, there are many competing priorities and so cyber security is not necessarily at the top of the list. Some organisations benefit from big investments in security but plenty of others aren’t so lucky.
And when talking about culture in an organisation we mean people’s attitudes, their assumptions, their expectations and their beliefs – together, all of these things serve to drive people’s behaviour. So if we apply this to cybersecurity we might get:
Attitude – “I’ve got more important things to worry about than cybersecurity.”
Assumptions – “That’s the IT department’s responsibility.”
Expectations – “Well if we ever get hit by an attack we’ll be fine – the IT department will deal with it.”
Beliefs – “GDPR has nothing to do with IT security.”
“The problem is therefore, if you have poor attitudes, unfair assumptions and incorrect beliefs then you end up with poor cybersecurity. Poor cybersecurity culture, unfortunately, equals poor cyber security”, explained Christelle.
Start at the top. The most senior people in the organisation have to set the tone for the culture of an organisation. So if you have senior leaders who don’t complete their cybersecurity training for example, why would anyone else bother? Not everybody fully understands the implications of a cyber attack. It could be about a large fine or it could be about reputational damage. It could be about not being able to grow your business because your customers don’t trust your security or it could be about the loss of IT systems. When you paint the picture to others in the business, make it relevant to the organisation that you are working in.
"Do people know how to make noise about cybersecurity in their own organization?"
Christelle challenged the audience to think of creative ways to do just that and explained that, “whilst at Arsenal, I offered up some space in the stadium to the Cyber Division of the Met Police to host a cyber awareness event.”
Not every organisation can boast a separate security team though – some are lucky if they’ve got a single person doing it. But cybersecurity isn’t all about one person. You need people who can write IT policies, people that can look at processes, people who can lead awareness training and you need technical people too. But the chances of a small organisation finding one individual who’s good at all of those things is very unlikely. Plus, on top of having the right people and processes in place, you also need tools.
Christelle explained, “My own unsuccessful drive to recruit a ‘do-it-all-superbody’ led me to change tactics and instead give every member of the tech team a role in security. I had people on the Service Desk doing inductions and awareness training, I had somebody running phishing campaigns and I trained my technical engineers in cloud security. Find champions. There might be people in other departments who are interested in cybersecurity. So, bring them together and give them a role in landing some of your IT change.”
Finally, when it comes to promoting a cybersecurity culture, you have to strike the right balance. If the business is not mature in this respect then you need to start by getting the basics right. The NCSC offers very good advice here. Cyber security is integral to everything in technology these days – from developing software, ensuring you have tight policies in place, right through to selecting and vetting the right technology partners to use. But all of this starts with the people.
“Good cyber security culture equals good cybersecurity, which equals good IT.”