
A Framework for Cultivating a Culture of Cybersecurity


Steve I Cooper, CIO, U.S. Department of Commerce
In 1943, American psychologist Abraham Maslow formulated a theory of human motivation, the eponymously named Hierarchy of Needs. In his theory, Dr. Maslow suggests that the basic needs of physiology, safety, love and belonging, and esteem must be met before people can reach their full potential. While Dr. Maslow may not have had cybersecurity in mind in 1943 when he listed safety as a need, it could be argued that the human need for safety in the 21st century covers not just our physical person but our digital identities as well.
So how do we, as information technology professionals, ensure the digital safety of our employees so they can reach their full potential? One way is to build on an existing cybersecurity framework to cultivate a culture of cybersecurity.
The NIST Cybersecurity Framework
Through collaboration between the government and the private sector, the Commerce Department’s National Institute for Standards and Technology (NIST) developed a voluntary set of prioritized, flexible, repeatable, and cost-effective industry standards, guidelines, and practices to help organizations manage cybersecurity risk. This framework gives organizations the tools to describe their current and target cybersecurity postures, select areas for improvement, assess progress toward the target state, and communicate cybersecurity risk to stakeholders.
Together, the framework and culture can give you the technical and organizational tools to empower informed risk-based decision-making at all levels
The NIST framework organizes basic cybersecurity activities into five key functions:
1. Identify – understand your organization, its resources, and its threats, vulnerabilities, and risks
2. Protect – take preventive and defensive measures to minimize the probability and impact of cybersecurity events
3. Detect –discover cybersecurity events as quickly as possible
4. Respond – contain and mitigate cybersecurity events
5. Recover – quickly restore services affected by a cybersecurity event
Organizations can build on this framework and its functions for managing cybersecurity risk and tailor it to suit their size, complexity, and risk appetite. At its core, cybersecurity is risk management and your employees, customers, and stakeholders engage in risk management daily, even if they’re not aware of it. This framework gives us the technical foundation for cultivating a culture of cybersecurity.
A Culture of Cybersecurity
Just as cybersecurity must be baked into systems as they’re developed and not bolted on later, cybersecurity must be ingrained into your policies, procedures, processes, and performance measures at every level of your organization before cybersecurity becomes a problem. The formula for this culture of cybersecurity will vary from one organization to another but here are a few concrete actions to consider:Michael Maraya, Manager-Cybersecurity Operations, U.S. Department of Commerce
1. Train employees on how to spot phishing e-mails. Phishing e-mails are one of the more common ways cybersecurity incidents are introduced in an organization. Poor grammar, misspelled words, and blatantly fake domain names are a dead give-away for less sophisticated phishing attacks but an increasing number of phishing e-mails now have flawless text and plausible corporate graphics and links. Providing training on a regular basis in person and online has increased awareness and decreased the number of people falling prey to phishing emails in our organization.
2. Give employees the tools to protect themselves. Invest in multi-factor authentication to minimize the likelihood of credential theft, particularly for system administrators and remote users. Encrypt sensitive documents and emails so that only the intended recipients can read them. Provide virtual private networks for your mobile workforce to keep their information safe when using public Wi-Fi hotspots. Implement digital signatures so employees can verify the identity of the sender and confirm that the document or email was unaltered.
3. Empower employees to make risk-based decisions. Avoid draconian or reactionary policies that add administrative burden but don’t improve risk management. Instead, make employees aware that their actions have an element of cybersecurity risk, arm them with the tools to mitigate the risk, and trust them to make the right decisions.
4. Don’t blame the victim. Cybersecurity incidents are the new normal. Use these incidents as an opportunity to coach employees instead of punishing them for something they may not have had any control over in the first place. We conduct regular internal ‘anti-phishing’ campaigns in which the links embedded in campaign emails take people to our online training, rather than embarrassing them.
5. Make employees stakeholders in cybersecurity. Improving your organization’s resiliency to cybersecurity incidents should not be limited to your security operations team. Solicit input from your employees in preparing for incidents and ask for their feedback after an incident has occurred. They may surprise you with insights your security team may not have even considered.
6. Give your system administrators the time to do things correctly. System administrators are under constant pressure to support new engineering projects while keeping your current systems running smoothly. Applying patches, setting configurations, and keeping your directory services updated sometimes fall to the wayside when new projects come up or when systems go down. Give them the time they need to perform the important-but-not-urgent tasks.
Conclusion
If your organization is struggling to tackle the challenges of cybersecurity in the 21st century, a good place to start is by adopting an approach that combines the NIST Cybersecurity Framework and cultivating a cybersecurity culture. Together, the framework and culture can give you the technical and organizational tools to empower informed risk-based decision-making at all levels of your organization.
Featured Vendors
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Hybrid Work Has Forever Changed The Need For It In Ramboll
How T-Mobile brought an Un-carrier approach to tech hiring
Every Changing Labor Force
Great Expectations: Balancing the diverse needs of a city in a...
Community Banks And Digital Banking
"Discovery and Delivery" - An Approach to IT Workload Balance
