culture-of-securityI’m sure you’ve seen it.

Business owners that will sign on the dotted line just to get more security in place.

They come to you asking for help and you end up giving them top notch solutions.

(Note: if you need help figuring out a good cyber stack, consider a cyber stack evaluation).

They’ve seen the news and don’t want anything to do with the amassing headlines underscoring the growing threats on their business. The invisible threat of ransomware attacks is something we cannot easily predict or prescribe ahead of time.

It’s more akin to the acute heart attack that only becomes a problem once it happens.

It’s the type of problem that no one can easily fix with some prescribed medicine. It often takes informed decisions, habit changes, and hard work to overcome.

We’ve been invested in trying to find a cure through technology for a problem that will persist even with the best technology available.

While technology does help with the problem of protecting our networks and teams, it certainly is not and will never be the one stop solution to keep them safe.

The human side of security—and by human side I do NOT mean user training—is what’s really holding us back.

What I am getting at is cybersecurity cannot be solely dependent on technology. Culture in your workplace plays at least an equal role towards your security posture.

And by culture I mean much more than simply shoving policies down your team’s throat. If you think policy can keep your team secure, just revisit the simplest policy most of us experience every day. Speed Limit 65. A three word policy. How often is it broken? I saw at least a dozen cars pass me doing 70 on the highway this morning into work.

Policies demanding password changes might get some to comply, but most of us simply aren’t wired to adhere to a policy without really understanding why. Merely training on policies will only get you so far towards a goal of being secure as an organization.

When I think of a culture of security, I think of a team that frequently discusses what’s going on.

Get your team talking about current issues—whether on your network or things you’ve seen in the news. Dive into the implications of specific risks. Get them to understand and realize the importance behind a certain policy rather than telling them to blindly follow something.

One of the easiest ways we’ve been seeing MSPs dive into security and live it is by discussing topics around security operations.

The more meaningful you can make your conversations and the more involved you get your team in owning how security is implemented within your MSP will help you get people onboard with more stringent security (and this will eventually snowball into saying something when they see things on your network rather than silo-ing themselves to their specific work).

Until they see how their behaviors impact your organization and their own personal security, will they try and course correct what they’ve been doing. Until you have a team self-policing activities within your organization rather than assigning one police officer to regulate how everyone else works, you won’t actually get a team that applies security to their work.

Let me be clear here—getting to a place where you have a good cybersecurity culture is HARD.

I see two main reasons why implementing a sustainable cybersecurity culture is hard:

  1. Lack of team buy-in. Even with you focusing on creating awareness, you might have the problem where certain individuals don’t understand their role in the security culture. Until they can see where they fit and their role within, you might have people that simply refuse to buy into the idea of a cybersecurity-centric culture (and don’t for a second think that training is the golden bullet!).
  2. Lack of leadership buy-in. I’m sure you’ve heard the saying practice what you preach. This is the boiled down truth of cybersecurity hygiene. If you as a leader within your MSP are not living by the same expectations as your team, you are diluting your cybersecurity-focused culture. Expect the same standards (or higher) of your leadership team when it comes to security hygiene and see how others will fall in line.

Final thoughts…

When you create a sustainable cybersecurity culture within your team, everyone learns to understand their role in keeping your organization secure. Everyone will accept responsibility and quickly course correct to protect themselves and others from new threats. Behavior and hygiene are two are the weakest links in security today. That is especially true amongst technical teams. By investing in ways to enable your team to protect themselves, you’re taking the control of your security away from expensive solutions that claim to work to a time-tested solution that will live on regardless of the tools you’re using.

One of the easiest ways to start the journey towards a cybersecurity culture is creating awareness. Check out how a cyber stack evaluation may give your team insights on how vulnerable their data is without having to experience the rath of a malicious attack.