Why simply being told what to do might not be enough to maintain a strong cybersecurity posture.

I’ve been seeing a LOT of cybersecurity experts telling people what they have to do to be secure or avoid being the target of a cyberattack.

They are writing articles, books, giving webinars and seminars COMPLETELY on what you need to do.

Now I don’t see tips and steps—or even checklists—to be a bad thing in your quest to protecting your teams, your data and your organizations when it comes to cybersecurity. But one thing that these experts are missing is that cybersecurity does NOT start with implementing new things, new tactics, or even completely following someone else’s guideline.

What I’ve come to terms with over the past 20 years of protecting organizations in healthcare and the financial sector is that cybersecurity needs to be more than rules (policies and procedures). I have been adamant in the past couple of years—having lectured at cybersecurity events across the country—that our way of implementing and securing our networks has to fundamentally change.

Think about this for a moment…

When was the last time you or anyone else you know went through cybersecurity video training and then preceded to have a follow up conversation with colleagues about it? When I speak to audiences jam packed of cybersecurity professionals or IT teams, nearly everyone raises their hands when reflecting on video training—especially ones that revolve around cybersecurity.

The conclusion—they all mute the video.

Instead of listening to a narrator go through slide upon slide of here’s what you do, most people either mute the video (if they’re required to view the entire thing) or fast forward to the exam questions. At that point, the questions are either easy enough to guess and pass nearly with flying colors or the power point slides are available to lookup answers—only for short-term memory use.

I’d reckon to say that no one retains much out of training events and most are just giving lip service to security (only implementing what’s convenient).

I know you might be thinking, can’t we just invest in new technology?

I’d say technology is an important piece, but sometimes you or your teams cannot afford the financial burden of state of the art solutions OR it would be more effective to get people to do something than trying to get technology to work the exact way you want it to (most technology wasn’t necessarily designed with you in mind).

My take on technology is it can only ever be part of the solution to your security problems.

Going back to my original concern, many leaders in IT are being told that if they follow steps given by security experts their organization will be secure.

Let’s think about his for a minute.

Your IT team has been following specific policies and procedures for years. They’ve forged their habits around procedures within your organization.

What if a security expert tells you that you will need to change to do everything like them to be secure? (essentially this is what a LOT of people selling cybersecurity services are doing).

You need to change the tools you’re using, force your entire team to adhere to different procedures and enforce rules that never were in existence before.

How easy will that be?

I’ve tried to implement security this way before. In fact, when I was younger and a little naïve, I thought that I could implement someone else’s plan in my organization.

The result: nothing really changed.

My team was unwilling to waste 6-8 months of time devoted to retooling and reworking what we were doing to completely follow this person’s advice.

Every time I went back to the cybersecurity ‘guru’, they said I hadn’t done everything to the ‘t’—that I still had more things to change (and more consultations to pay for) to get everything the way it should be.

After spending 8 months with no progress, I started seeing that this advice-driven method to cybersecurity would not protect my business, nor maintain a healthy environment of cybersecurity going forward.

What I saw—something I think is missing in most organizations today—is a framework for cybersecurity that integrates with your tools and fits in your culture.

What I learned?

Cybersecurity needs to be an integral part of your culture to be at all successful.

By culture I don’t mean you need to redefine your core values, mission statement, or type of team members that fit your organization. What I mean is that the people in your organization need to understand and start living cybersecurity. They need more than anything to understand the ‘why’s’ behind certain actions.

Telling someone to do something one way won’t help.

Showing people how to implement specifics are vitally necessary. But without context, stories and understanding across teams or members of your organization, most cybersecurity initiatives—even phishing training—might fall way short of what it could have impacted.

I know that this might seem like a big ask. Integrate cybersecurity in your culture. Showing how it links to your teams’ values and why it’s a priority to everyone might seem like an impossible task.

But asking everyone to completely change—the tools they use, the processes they work, ALL of their habits and behaviors. Essentially doing this is will be changing your company or organization into someone else’s. Does that seem like a reasonable task or goal?

What’s the alternative to transitioning your IT processes, procedures and team into someone else’s team?

Consider integrating your framework into your culture. I don’t mean create a new policy or procedure here. Start continuously communicating and following up with your team to fit your culture and how you run your IT.

A good first step? Evaluate your team’s cybersecurity habits right now and figure out what specifically will need changing.