Security leaders often get stuck in the old mindset of being the “no” person in IT. But today, they have a new opportunity. The National Cyber Security Centre (NCSC) has released guidance to help create strong cyber security cultures in the workplace.
End-users are on the front lines of cyber defense. Organizations that develop a robust security culture tend to bounce back more effectively from attacks. Yet, this concept isn’t easy for security leaders to promote. It often gets overshadowed by the latest tools and products. The NCSC defines cyber security culture as the shared understanding of what’s normal in terms of security practices, shaping expectations for behavior and teamwork.
Ollie Whitehouse, the NCSC’s chief technology officer, emphasizes that business leaders must treat cyber security as essential to their success. He warns that without a culture that makes security relevant to everyone, risks can go unnoticed, leaving organizations vulnerable to threats.
The NCSC has laid out six principles to help security leaders establish a strong cyber security culture:
-
Frame Security as Enabling: Leaders should present security as a facilitator of business goals. Employees need to see how their actions keep IT systems running smoothly. Security policies shouldn’t be seen as barriers but as essential components of their work.
-
Build Trust and Openness: Create an environment where employees feel safe discussing cyber security issues. They should have easy ways to ask questions and report problems without fear of blame. Focus on learning from mistakes rather than castigating those who err.
-
Embrace Change: Organizations must adapt to new threats while remaining cautious about changes that could disrupt operations. Employees need support to understand new policies and their implications.
-
Promote Secure Behaviors: The unwritten rules in any workplace can undermine security. Leaders must tackle these norms head-on and address underlying values, making sure that secure practices are part of the culture.
-
Engage Leadership: The wider leadership team must acknowledge their influence on security culture. They should work together to create a shared purpose that guides decision-making and encourages secure practices.
- Maintain Clear Guidelines: Security rules should be straightforward and accessible. They need to be tested for effectiveness and adjusted based on feedback. It’s crucial to differentiate between mandatory rules and helpful guidelines, ensuring everyone is aligned with the company’s objectives.
These principles provide a roadmap for fostering a culture where security is part of everyone’s responsibility, making it a proactive rather than reactive element of business operations.