Authors Shary Llanos Antonio and Adriana Jaramillo Pinzón
The best way to reduce information security risks in an organization is to build a cybersecurity culture that helps protect critical information assets[i]. Protecting information assets using technology controls is known as cybersecurity; however, people play an essential role as they are the first line of defense against cyber-attacks.
Building a strong cybersecurity culture should be fundamental in creating a great organizational culture. Cybersecurity culture is all the knowledge, beliefs, and perceptions people have regarding cybersecurity; it should be valued and promoted among all, each from their business role but committed to protecting information assets with a security-conscious behavior.
We consider that cybersecurity culture must be resilient, inclusive, proactive, engaging, and adaptive. It needs to thrive even during difficult times. Cybersecurity culture must include all people, create spaces to discuss and assess risks before taking actions. Lastly, it needs to establish information assets value, best treatment, and safeguards according to their relevance to the organization's mission or objective.
Likewise, we argue that promoting and strengthening cybersecurity culture is vital to prevent and mitigate risk scenarios where high-value information assets are not adequately protected, strengthening the organization's capacity to resist cyber threats from a human point of view.
Some recommendations for the development of an effective cybersecurity culture among end-users are:
Grow a cybersecurity mindset that will incorporate security at all organizational levels.
Create a fun and engaging awareness program that incorporates gamification and caters to specific segments of your organization.
Celebrate and reward people that do the right thing for security with giveaways or public recognition.
Moreover, 2020 was a challenging year for cybersecurity culture. The COVID-19 pandemic forced us to migrate, explore, and adapt to new working ways. We had to overcome technological adversities such as connectivity, workspace, availability, and equipment obsolescence. Likewise, we transformed spaces, shared resources, and cultivated knowledge while also incorporating basic principles of cybersecurity culture into our home-office environment, which was less controlled by the organization's security policies.
We believe that cybersecurity culture is still in the early adoption phase. However, through time and experience, we embrace a more cyber-secure culture that provides greater confidence in remote operations and allows us to acknowledge the risks and vulnerabilities information assets face.
Kevin Mitnick, one of the world's famous hackers, said:
"Companies invest millions in firewalls, encryption, and devices to securely access, and money is wasted because none of these measures fixes the weakest link in the security chain: the people who use and manage computers."
This phrase recognizes the relevance of humanizing and having a solid cybersecurity culture in our organizations, allowing us to identify, protect, detect, respond, and recover from any cyber incident.
We are all cybersecurity!
[i] Data or other knowledge that has value to an organization.
About the Authors:
Shary Llanos Antonio is a Colombian governmental office's IT security strategy leader with over 7 years of experience as an IT project manager and Information Security specialist in the public sector. Shary is a computer systems engineer working towards her Computer Science Master’s degree. She is also a member of Women in Cybersecurity (WiCyS), who is passionate about cybersecurity awareness and community empowerment.
@techbyshar
Adriana Jaramillo Pinzón is a computer systems engineer with over 10 years of experience in cybersecurity working in the education sector. She is currently Colombia National University CISO. Adriana is passionate about cybersecurity awareness and is a member of the OAS cybersecurity program and other Information Security professional communities.
@amjaramillop