Why a culture change program is key to effective cybersecurity

Integrating a culture change program into a cybersecurity program for easy and effective adoption as well as better return on investment

• While technology forms the core of cybersecurity, a culture change program prepares a cyber-aware and willing-to-adapt workforce for its optimal use.
• Over the years, cybersecurity products and tools have evolved, and their effectiveness and robustness have increased substantially, which has lead to cybercriminals targeting employees accessing the organization’s systems

This article argues that a culture change program is essential for an effective cybersecurity program and a return on cybersecurity investments. Three premises support the argument. A culture change program integrated into a cybersecurity program ensures that:

• A systematic approach is adopted to address the changes required for any cybersecurity improvement.
• Culture fit is addressed in cybersecurity product and tool implementation, and teams are adequately informed on how to use them correctly.
• The primary cause of breaches and human vulnerabilities are addressed systematically.

The article is outlined on these three premises. This article is a part of a three-series article. The next article will shed light on why it’s challenging to build and sustain cybersecurity culture and why few organizations approach cybersecurity culture in a structured and systematic way, even though they realize the high ROI of this activity. The last article in a series of three will provide a roadmap on how to start building and sustaining a cybersecurity culture.

Improving cybersecurity requires change

Cybersecurity programs aim to improve an organization’s security posture. Improving always implies that some things (or in other cases, many things) need to change. However, it is evident from our past experiences that changing human behavior can be demanding.

In general, most individuals would like to see change, but few would like to change. You can take smoking and exercising habits as the most common examples of how trying to change human behavior often fails. Rationally, individuals understand the negative consequences of these habits, but fail to change even when presented with the overwhelming health benefits.

If individuals are reluctant to accept change even though it may cost their lives, what makes cybersecurity decision-makers believe that an organization’s employees will adapt to new desired behaviors that today’s digitized working environment demands?

Often, not taking the employees involved and affected by a digital transformation into consideration is why projects struggle to achieve their objectives. From a cybersecurity perspective, improving cybersecurity requires a change in strategies, processes and technologies. These changes do not happen by chance. An organization’s employees are the ones ensuring that:

• Cybersecurity strategies are operationalized throughout the organization.
• Cybersecurity products and tools are properly utilized.
• Cybersecurity requirements and required behavioral changes are being adapted.

The implementation is the most challenging stage of a cybersecurity program. In establishing the foundation of cybersecurity governance, including principles, roles and responsibilities and strategic, tactical and operative governance, documentation often works well. The challenge here is to:

• Create concise documents that are easy for users and other key stakeholders to understand and follow.
• Ensure that operational instructions have a clear link to the overarching principles and goals.

Most organizations struggle in ensuring cybersecurity ownership throughout their organization, including ownership of the requirements and responsibility to implement new routines that the cybersecurity operating model describes. If employees fail to understand the rationale of cybersecurity requirements and why they need to change accordingly, the change motivation is likely to decline over time. In addition, if employees lack the necessary skills or tools to adapt to new working routines, they won’t know how to change and comply with cybersecurity requirements. Here is where the role of a culture change program to achieve desired cybersecurity culture comes into play.

Organizational culture is a pattern of basic assumptions that a group of individuals has developed in learning to cope with its problems¹. Therefore, building a certain culture can help govern appropriate behavior in relation to the given set of problems in a group of individuals. A shared organizational culture influences individuals’ intrinsic beliefs (attitudes, normative beliefs and perceived control to perform a task). By building a certain organizational culture, the likelihood of employees adhering to policies governing proper behaviors increases.

The purpose of building a cybersecurity culture can help obtain three outcomes:

• All employees are aware of and understand cybersecurity requirements and the responsibilities they imply.
• All employees possess the appropriate knowledge, skills and motivation to adhere to cybersecurity requirements.
• All employees are aware of the cybersecurity threats relevant to the organization and knowhow to combat them.

Building a cybersecurity culture fosters an organizational acceptance of cybersecurity requirements, as well as create a cybersecurity-aware and threat-resilient workforce. Therefore, building and sustaining cybersecurity culture increases the likelihood of organizational adherence to policies and better individual management of cybersecurity threats².

Activities supporting cybersecurity culture change, such as awareness-raising communication and training, should be structured and continuous. Structuring the approach of building a cybersecurity culture as a part of the cybersecurity transformation journey will achieve the required changes in people, processes and technologies.

Products and tools are not enough by their own

Traditionally, the dominant part of investments of cybersecurity is spent on products and tools. The cybersecurity tools market is booming and is expected to grow significantly in the coming years.

Among the cybersecurity solutions, the endpoint security solution is the fastest-growing category in cybersecurity investments³. This is likely due to the growing threat of ransomware targeting endpoints, which have doubled in the last 12 months. The most vulnerable assets in the event of an attack are usually the endpoints, and organizations are, therefore, dedicating close to a quarter of their IT security spending to endpoint security tools.

EY Global Information Security 2020⁴ showed that 37% of Nordics cybersecurity budget, in any given year, is spent on security operations centers (SOCs), which is the largest category of spend in terms of budget and full-time engagement (FTE). However, the performance of many organizations’ security products, tools and SOCs is lower than expected. Almost 70% of all breaches still originate at endpoints, despite the increased IT spending on endpoint security solutions. In Nordics, significant breaches are mostly discovered by a business function and only 23% are identified by their SOCs. This study concludes that cybersecurity products and tools are not detecting threats and incidents as effectively as expected, compared to the organization’s employees.

So, why are investments in cybersecurity products and tools not providing the expected return-on-investment (ROI)?

One explanation is that the tool-focused cybersecurity industry has led organizations to equip themselves with many different products and tools, but struggle with properly integrating them in their IT environment. In addition, the effectiveness of tools relies on manual intervention and human eyes to spot anomalies, respond to alerts, and tune and calibrate the toolset. This requires adequate resources with the necessary skills, which is proving to be the greatest challenge.

In fact, cybersecurity personnel are struggling to use cybersecurity products and tools in a correct way — sometimes, not using them at all. Organizations may have solutions in place and are paying for licenses, but are not aware of what the tools are for, what they can do and how to configure them.

Hence, it is crucial to assess required staffing, provide training to utilize tools and solutions effectively, and increase the likelihood that the organization’s employees act as the organization’s human firewall.

Breaches are caused by human vulnerabilities and need to be addressed

Over the years, cybersecurity products and tools have evolved, and their effectiveness and robustness have increased substantially. Although the efficacy of products and tools relies on manual processes and human interventions, today it’s more difficult to successfully attack an organization’s systems or applications through technical means.

Consequently, attackers have developed techniques that bypass technical controls by targeting an organization’s employees accessing the systems or applications. One such technique is phishing, which relies on manipulating individuals into performing actions that benefit the attacker; for example, installing malware through e-mail distributed weblinks or revealing credentials.

The report also shows that the use of stolen credentials, misconfiguration and inaccurate delivery (for example, sending sensitive information to the wrong recipient) make it to the top of the list of tactics causing breaches.

According to EY research, more than one in four Nordic organizations report that over 75% of their breaches were made possible through an employee weakness (for example, used a weak password, became a victim of phishing, lost a laptop, failed to patch or configure, etc.).

So, why do an organization’s employees fall victim to cyber-attacks or fail to comply with cybersecurity policies?

In general, there are three main reasons.

• Employees are not aware of common cybersecurity threats or the existence of policies governing proper cybersecurity behaviors. For example, they overlook the fact that there are policies governing the encryption of sensitive information or that the information they shared externally is classified as confidential.
• Employees are aware of common cybersecurity threats and policies governing proper cybersecurity behaviors, but don’t know how to combat threats and comply with the policies in practice. For instance, they are unaware of using tools to encrypt classified information or distinguishing between internal and confidential information.
• Employees are aware of the existence of policies governing proper cybersecurity behaviors, know how to combat threats and comply with the policies in practice, but don’t care to do so. Here, we have a problem with motivation and lack of ownership to protect information assets and the requirements related to the protection. Among these three reasons, this is, in general, the hardest one to tackle.

Addressing these three causes should be the focus of any cybersecurity change program addressing human vulnerabilities.