In a world turned upside down by the global pandemic, is there room to embed a sustainable cyber security culture? Anna-Lisa Miller, Group CISO at Spectris, joins J.D. Miller to discuss how company culture can affect cybersecurity and how to encourage employees to learn and adopt security habits.
“This is about giving people the information and the tools and the open door to further help should they need it, rather than trying to hammer in additional work or additional hurdles for people to go over.” -Anna-Lisa Miller
J.D. Miller: In a world turned upside down by the global pandemic, is there room to embed a sustainable cybersecurity culture?
Anna-Lisa Miller: I think it’s fair to say that everyone has been impacted by COVID-19 in some shape or form and there’s a lot of adjustment that people have made, whether it’s working from home, or trying to juggle homeschooling with work, or even just the underlying anxiety with the fact that there’s a virus out there.
While all of that’s going on our jobs as security professionals are more important than ever and we still need to make sure that our workforces have access to the right information. They know what to do. They know what behaviors are acceptable and which ones aren’t when it comes to using technology in a secure way. The point here is well, with all of that stuff going on, how do we get those messages across? How do we make sure there’s room for people to be able to absorb the important security messages that we have, when there’s all of this other stuff going on as well?
J.D.: We know that you’ve got to get the organization to embrace culture. How do you gauge if your organization is ready to embrace a cyber culture and what does that take?
Anna-Lisa: In most organizations, you probably don’t need to have a separate cyber culture, what you actually probably need to do is really get under the skin of what makes your organization successful. Then, what do people need to do from a security perspective, to help do that even more? It’s really about finding the way to integrate security into the existing organization structure and culture.
J.D.: Do you start with the executive team? How do you build that internally?
Anna-Lisa: There is a good strategy around starting from the top – convincing your leadership teams what they need to do and how they can help to cascade those messages.
I think you also need to find multiple angles to help people. What I really want to get across is the fact that this is really a service to your organization. This is about giving people the information and the tools and the open door to further help should they need it, rather than trying to hammer in additional work or additional hurdles for people to go over which I think is how everyone perceived security to be.
J.D.: You make an argument that culture can help protect your business from sophisticated attackers. Tell me more about that.
Anna-Lisa: If people feel strongly connected to an organization through the values and culture, and if security is part of that, that’s the goal. If people are quick to recognize a phishing email and if they know what to do, if they care about the outcome of that phishing email, they will start to spread the word between their colleagues, or they’ll escalate it to a service desk, or to a security person. They know what to do much more quickly when they care about it, and when it’s part of their culture.
J.D.: How do you think that’s changed over the last 12 to 18 months?
Anna-Lisa: It is certainly changing. Part of the reason for that is that people are getting more experience of what security issues can actually mean to them. People are finding their personal accounts, as well as their work accounts being disrupted or intercepted and when you have that direct experience, it suddenly makes it much more real, and makes it a lot easier to understand what the security people have been talking about for all these years. If it actually happens to you, you’re going to get it.
We see a lot more in the news about, you know, particularly large security incidents, and some really awful and really distressing news, particularly about things like ransomware attacks and hospitals that then actually have a significant and fatal outcome.
J.D.: You outline three key areas to protect against cybercrime: Define and disrupt; Be ready to answer the “So what?” and the big “Why?” questions; and keeping it real. Explain “Define and disrupt”.
Anna-Lisa: The define and disrupt piece is about whether your organization really has a cybersecurity culture? Or is it how cybersecurity fits into your organization’s culture?
It’s that definition of how you are going to find the channels and the mechanisms to deliver the messages that your workforce needs to hear. Once you’ve figured that out and you’ve got a plan, be prepared to do something just a little bit different, that’s memorable.
Remember that if you invoke an emotional response to something, people are more likely to remember it, and more likely to learn from it.
I think historically, with security, people have gone with fear; I prefer humor. If you can find a fun or funny way of delivering what are fundamentally quite depressing messages, then probably going to have a bit more success, you know, getting your messages across.
For more conversations like these, see our Executive Insights podcasts here.