Cybersecurity-Mindset

Building a Cybersecurity Mindset – Humans Are as Important as Technology

If we didn’t believe cybersecurity was a digital megatrend of the decade, the recent Twitter hack might just convince us. As we’ve seen with the compromise of several political celebrities’ accounts, Twitter struggles not only with closing the attack vector, but also with its own reputational damage. And, given how coy Twitter is being about how the hackers got inside (what it’s calling a “coordinated social engineering attack”), it’s clear this massive and dangerous hack was, at the outset, a people failure and not a technical failure. Several employees clicked on something they shouldn’t have – whether through company email or social media services – which gave hackers extraordinary access to their systems.

For many enterprises, cybersecurity has been a topic to be added “on top” of the cool engineering functions that promise to bring in revenue or save money. In this decade, however, cybersecurity is an intrinsic risk management essential that must be built into the core of every employee, product and service. The days of relying solely on perimeter security are fading away. Companies need to implant security by design and default into their enterprise DNA.

This means rebuilding the culture and behavioral patterns of employees to establish security as a core value, which has become a responsibility at least as important as looking at the most recent trends in defense technologies and the next must-have on the CISO’s agenda. Many companies have already adopted awareness campaigns and may have established policies and procedures to become more defensive – one can’t help but think Twitter would have led the charge on this front. But its recent breach makes it clear these programs have room for improvement. Today, establishing a security mindset that helps employees think like an attacker has become crucial.

Here are seven steps to help companies take cybersecurity to the next level:

  1. Create new neural pathways. Take a page from the Utilities and Manufacturing industries’ playbook. Companies in these industries had to shift away from “we will probably not be affected” to “sophisticated violation can happen to anyone, we can never be too vigilant.” An individual’s prefrontal cortex can hold only about three or four thoughts at a time. To change human behavior, you must build the desired mindset in the prefrontal cortex by consistent and applied repetition and testing. When ISG has helped Utilities companies emphasize facilities and physical safety, we’ve seen measurably fewer industrial accidents and better safety for employees. This same strategy can work using a combination of employee awareness, testing and role play of bad security stories to increase employee knowledge and improve attitudes and behaviors.
  2. Err on the side of caution (and borderline paranoia!) in personal responsibility. In the manufacturing industry, daily or weekly touch point meetings often begin with a "safety moment." Participants open with a brief presentation on safety and leave their colleagues with a clear take-away. Brain science has proven that this kind of engagement and repetition is effective for changing behaviors. An IT team might build in “security moments” as the foundation of standing meetings to begin adopting the mindset of preventing security hacks.
  3. Invest in active defense. Establish threat intelligence to look beyond your enterprise’s scope into the greater internet, the deep net and even the dark net. Who is interested in you? Who is selling your credentials? Who is buying your credentials? Who could target you? How will you know if they have? On the operations side, train key people in charge of personnel on- and off-boarding to act immediately adjust and terminate access as needed.
  4. Establish a cybersecurity center of excellence (CoE). A cybersecurity CoE does not act as a policy provider or security gatekeeper. It is a sparring partner to test solutions and assumptions around security and a security solution provider for the whole lifecycle of products, services or organizational change. Once a CoE has been established, enable and encourage everyone in the company to actively and heartily facilitate its work.
  5. Establish security communities of practice (CoP). Security CoPs focus on opening up the work of the cybersecurity CoE to a broader audience – anyone can participate, regardless of their function or role. Use these communities to raise awareness and continuously educate and remind employees about their personal responsibility in security. Conduct regular, brief “think like a hacker” workshops with security professionals, share experiences with especially difficult “security by design” challenges, and discuss how to build collaboration into the product, service or organizational lifecycle as early as possible.
  6. Use all available methods for challenging, testing and proofing security. Use automated penetration testing on a regular basis. Conduct security assessments with greater frequency. Regularly run “red team assessments” to simulate a cyberattack on your own products, services and company and identify holes in your security plan. Conduct regular social engineering and spear-phishing test attacks. Participate in a “bug bounty challenge” to provide incentives to ethical hackers to find gaps in your security at the human and technical levels before malicious attackers do.
  7. Facilitate “CYBERsecurity by design” and “CYBERsecurity by default” strategies as market differentiators. Today, it is not enough to show your ISO27001 certificate. Invite your customers to take part in a red team assessment. Show them how you deal with discovered vulnerabilities. Prove that your policies, procedures, people and practices are built on a secure foundation.

It is a brave new world with more and more work happening virtually and more potential for security threats. ISG helps enterprises secure their workplace and their workforce using solutions that leverage technical and human solutions. Talk to us!

About the authors

Andreas is a senior member of the Cyber Security Practice and a Subject Matter Expert in aligning IT Security and Data Protection/Privacy requirements with Service Management and architectural challenges. He is an experienced project manager and architect for digitization journeys in the area of Cyber Security, Data Protection/Privacy, Enterprise Architecture and IT Service Management.

Missy Lawrence Johnston is a principal consultant in ISG’s organizational change management (OCM) service line with 15 years of experience as a thought leader and culture-change expert helping government entities, nonprofits and Fortune 100 companies. In her current role, Missy leads strategic change-leadership and OCM teams. She drives day-to-day deliverable execution and client relationship management and is ultimately accountable for OCM deliverables and client/project-team leadership for digital OCM. Her highlighted competency is in global enablement for digital transformations, with a focus on team dynamics, change leadership, and empowering psychologically safe environments.