How to Create a Cyber-Savvy Corporate Culture

Steve Martino


March 20, 2017

When it comes to cybersecurity, the conversation normally focuses on technology, policies and processes. But too often these discussions overlook a critical component: people.

According to research from the Ponemon Institute, employee mistakes account for one-quarter of data breaches. While deploying the latest in cybersecurity solutions is critical, an organization’s data protection depends upon the “cyber IQ” of its entire workforce, from the mail room to the board room, making it vitally important to cultivate a culture of “cyber-savvy” employees. The following three steps can help organizations reach this goal, regardless of their industry segment:

Embed Cybersecurity within the Corporate Strategy
All corporations, whether they sell sneakers, appliances, greeting cards or cheeseburgers, should recognize cybersecurity as a core business component. Fortunately, many companies are starting to understand this: One-third of finance and line-of-business executives now view cybersecurity primarily as a business enabler, according to Cisco’s Cybersecurity as a Growth Advantage white paper. Additionally, 44% feel that cybersecurity practices provide a competitive advantage. More than 70% believe data risks hinder innovation, and 39% have halted mission-critical initiatives due to these concerns.

This new wave of thinking must take hold organization-wide, and change must begin at the top. If the CEO and fellow C-level executives do not include information assurance within every phase of strategic planning, then how can they expect employees to do the same in performing their day-to-day tasks? In leading by example, senior management can clearly demonstrate that cybersecurity is business and needs to be built into every process from the very beginning.

Educate Employees about their Role in Security
According to the Ponemon Institute research, training efforts reduce the cost of every compromised record by $9. But organizations will gain far more benefits by avoiding a “one size fits all” approach. Training sessions should address employees’ specific roles and responsibilities. A finance professional, for instance, deals with data that is essential for audits or budget planning. A marketing team works with customer-focused analytics. So there really is no training “template” to teach both groups how to do their jobs effectively while ensuring the safety of the data.

In addition, companies need to view training as a commitment to ongoing, continuous improvement. “One off” sessions will deliver little lasting value. At Cisco, for example, every employee is tested about phishing exploits once a quarter. Why? Because phishing represents the most common source of endpoint compromises. With the stakes so high, we show employees what a phishing scam looks like, how an adversary will “disguise” a malicious link to appear legitimate, and we test what they’ve learned using phishing email scenarios. We created “Phish Pond,” an internal portal where employees can learn how to spot and avoid these deceptive “hooks.” We also make use of online polls and quizzes to reinforce best practices.

A continuous improvement philosophy supports a cyber-savvy enterprise in multiple ways. By routinely revisiting these topics, we are able to update key information as needed so our team gets the most relevant, timely intelligence. Threat tactics are always changing and increasing in sophistication every day so our training programs must adjust accordingly. What’s more, through repeated sessions, we observe that our employees quickly master the “basics” about cybersecurity, which allows us to take them to the next level of training to elevate the breadth and depth of their awareness.

Make it Personal
Thanks to mobile technologies and Bring Your Own Device (BYOD), private and professional lives are blurring more than ever. Work-life balance means something different today than it did just five years ago. Everything is interconnected, with employees accessing personal and work-related emails on the same device. Their use of social media is similarly intertwined – when is Facebook, LinkedIn, etc. a business outlet and when is it a “my time” thing? Oftentimes, it is one and the same.

Instead of ignoring cultural phenomenon or, worse, pretending it does not exist, should help their people safely tend to their personal matters, such as online banking and personal shopping, while they successfully pursue strategic goals for the business. This results in a win-win situation: Leadership obtains further assurance that private activity will not jeopardize business, while staffers feel engaged and confident that their company “has their back” in protecting what matters to them.

By combining these three steps, cybersecurity awareness is no longer perceived as a “checkbox item” or a bothersome distraction from our daily responsibilities. It is embedded into the company strategy from start to finish. Employees soak up new and compelling insights about attack methods in presentations that directly speak to their individual roles. Then, the heightened vigilance extends to their personal lives, expanding the concept of data defense as something to think about every time one connects to a device, whether for business or pleasure. Cybersecurity is a fully realized part of the corporate culture, as much a part of the water cooler discussions as last night’s football game or Dancing with the Stars. And this degree of cyber-savviness within a workforce will prove every bit as formidable to hackers as the latest and greatest security tools.
Steve Martino is vice president and chief information security officer at the Cisco Security and Trust Office.