Solving the people problem: How to put people first in cybersecurity

By Lance Spitzner, below, Senior Instructor at SANS Institute

Want to know a secret? We’ve spent too long getting cybersecurity culture all wrong! Over the past 20 years, we’ve grown accustomed to using tech to secure tech – and we’re good at it! However, we’ve done a poor job of using tech to secure people. Given that humans are the primary attack vector, there’s a clear rationale for solving the people problem and that starts with breathing new life into stale cybersecurity culture.

Getting the human factor right is the key to setting up a resilient strong cybersecurity posture. It should be no surprise that routine human error is a major contributing factor to breaches and one that can undermine even the most resilient of workplace cybersecurity measures. In our fast-evolving hybrid world where 80% of breaches involve human elements, there is no stronger case for a total rethink and reset on how we lead a cybersecurity change and drive a strong cybersecurity culture across the workplace.

Ultimately, the stronger your security culture, the more likely it is that people will behave in a secure manner and exhibit secure behaviours. The bottom line is if you want your workforce to exhibit secure behaviours you must do the groundwork by creating the environment for that behaviour to flourish.

Understanding Security Culture and How to Build it

Culture is built and shaped by what people think. At its heart, it’s about people’s shared attitudes, perceptions, and beliefs. A cybersecurity culture is underpinned by these key principles. The drivers of this positive cybersecurity culture are some of the things that we as humans value the most. Fundamentally, if security at your organisation is too authoritative, unapproachable, or unable to engage with a workforce in a positive way, then people will simply not like the cybersecurity lessons you’re trying to teach. Humans are widely criticised as the weakest link in the cybersecurity chain, but telling people they’re doing it all wrong will get you nowhere. You’ve got to educate and build that cyberculture that reaches everyone at every level across the workforce.

It will come as no shock that even the best management programmes break down if they’re not backed up with a strong and positive culture. All too often, negative culture is the exact root cause of why vulnerability management programmes fail. SecOps fail too when teams butt heads and the working culture isn’t positive and collaborative enough to foster great results. The point is, no matter how important the security objective, it is destined to fail if the workforce believes there to be a toxic security culture.

Terms which too often arise when describing this type of poor culture are ‘punitive’, ‘vague’, and ‘fear-focussed.’ If you have this kind of problem, how are you going to take the workforce on a cybersecurity journey with you? It’s one thing having the ideation in place, but with the communications strategy in place to share that vision and execute it requires a whole other skill set.

The Golden Rules: How do we go about it?

Culture starts with the security team. If people find your policies easy to follow and collaborative you’re off to a great start! 

Self-awareness plays a main role in this endeavour and security teams must be able to hold a mirror in front of themselves and ask “would I buy into what I see here?” It’s a measure that requires an understanding of what people think about the security team. While it might seem daunting to ask the workforce what they think about their cybersecurity team, there’s no better way to get a cyberculture health check and an understanding of what needs fast improvement. To get started you can focus on these key performance indicators.

Ask yourself:

  • Do people feel safe reporting incidents? Even ones they might have been responsible for?
  • Does the security team receive regular communication from the workforce such as requests for briefings?
  • Is the message getting through? If not, why? Is it too technical, too vague, too unfamiliar?

When trying to steer the security course of an organisation, remember that emotions count enormously. It’s vital to facilitate a frank discourse where employees feel that they can freely share their thoughts and feelings about everything from the security team to policies and training opportunities.

The Dos, not the Don’ts

Success lies in motivating the workforce and enabling security. You don’t do that by technical wizardry, you do that by understanding people. Look towards simple behavioural architecture to see if you can inspire people to do what you want them to do without them even noticing it. As experts in what we do, we can be guilty of giving cognitive overload. How about we simplify this by spelling out in simple non-technical language what must be done to hit the right notes? In cybersecurity, the list of don’ts is never ending so it’s impossible to tell people everything they shouldn’t be doing. Instead, make it easy for everybody and tell the workforce the 5 things they should be doing. Isn’t it better they take five simple actions than ignore the list of 20 things you tell them not to do?

Always keep it simple 

When communicating cybersecurity instructions, you need to keep it simple. For instance, if you’re rolling out a new password manager, do you think people will take the time to decipher the technical language, or care about your -well-intentioned- explanation of why it’s important for regulations and the company? That’s a resounding no. Why not be the good guys and tell people about how much time they’ll save with this new solution and just how much simpler the working day will be when they follow a few simple instructions? If writing for mass audiences isn’t your strong suit, no problem.

Take the time to connect with HR or internal communications teams to get help communicating your vision in non-technical language. For effectiveness, writing should always be from the point of view of people and not the security team. Remember, communicating doesn’t have to be dull and corporate. Putting your instructions into something like a comic book would get a lot more people wanting to absorb what you have to say!

The Road Ahead 

Today, cybersecurity leadership is no longer just about technology. It is ultimately about organisational change – change not only in how people think about cybersecurity but in what they prioritise and how they act – from the Board of Directors to every other level of the organisation.

Building, managing, and measuring a strong cybersecurity culture by leveraging the latest real-world lessons and organisational change models is now a core business priority. For a security professional, it’s important to see their job role as a people manager charged with helping people change behaviours to then change business goals. Ultimately, managing human risk is why we all do security.