Zero to Safety: How to Build a Cybersecurity Culture

Stop me if you’ve heard this one…

After reading about another high-profile data breach from a nationally recognized brand, your company’s leadership greenlights additional budget for a technological solution to beef up cybersecurity.

Your team implements the new technology and spends weeks fielding employee access questions, all of which you already answered in painstaking detail in a largely ignored company-wide email.

Then, after all the hard work and education, you’re reminded there’s no technological solution for a remote employee’s unattended laptop and a click-happy child.

Too often, culture initiatives focus on people and processes, while cybersecurity issues are treated as a constant search for technological solutions.

But it doesn’t have to be that way.

A New Evaluation Matrix

The best way forward is treating cybersecurity like a critical part of your culture, rather than a wall you build around it.

Building cybersecurity culture requires an innovative approach to assessing your current security model. But innovation doesn’t have to mean overwhelming reinvention; it can be accomplished through a creative pairing of two popular security frameworks – PPT and the CIA triad.

The CIA triad is a model that guides an organization’s information security policies based on confidentiality, integrity, and availability:

• Confidentiality: The ability to access and modify data is available to only authorized users.
• Integrity: Data is maintained in a state that cannot be improperly modified, accidentally or maliciously.
• Availability: Authorized users have the ability to access data whenever they need it.

While the CIA triad is widely applied to information security, its concepts are too valuable to be limited to data.

Confidentiality, Integrity, and Availability can illuminate all aspects of organizational security when the triad is applied to each area of PPT – People, Processes, and Technology.

Meshing these frameworks into an innovative new matrix can deepen your evaluation of security practices, strengthen your organizational approach, and break the habit of over-reliance on technology-only solutions.

People – An Army of Everyone

As your employees have been thrust into remote work, they have become your organization’s first line of defense.

PPT deputizes members of your organization and allows you to build processes by which threats decrease as each individual’s security value increases.

In a PPT security culture you no longer lead your company’s understaffed, overworked singular line of defense. You and your team lead an engaged Cybersecurity team that includes exactly EVERYONE.

Your people are the first line of defense in preventing cybersecurity attacks. The TSA’s motto of “See Something, Say Something” applies not only to airports, but to cybersecurity threats as well.

Process – Continual Improvement

If the people in your organization can’t follow security processes, you don’t have a people problem; you have a process problem.

Embracing a people-focused approach helps ensure employees get engaged in your security culture. Building great processes helps ensures all employees stay engaged.

Defined processes are the key, especially now, given the remote nature of employees.

Technology – Earning Trust

To paraphrase Mark Twain, reports of VPN’s death have been greatly underreported.

Virtual Private Networks (VPN) have been a staple in organizational security, but technology is changing, and so is your organization’s perimeter.

Zero Trust is a relatively new idea well on its way to becoming a foundational step in maintaining security across your flexible and dynamic workforce. It’s a concept built on the belief your organization should not automatically trust anyone, and when trust is earned, it is limited to that which is needed to perform their tasks.

“Need-to-know” is a key principle in national security. Zero Trust is a way to apply that concept across your organization.

By applying this Zero Trust lens when analyzing new technologies, as well as your people and processes, you’ll likely find yourself making a natural connection between equally important components of your organization’s safety.

In other words, you’ll stop seeing technology as a standalone solution, and start seeing it as one pillar in the security culture you’re building.

Technology should be one of the last items to look at when evaluating your cybersecurity posture. Technology is an enabler, not the end-all-be-all solution.

Moving Forward

To thrive in a post-COVID world, leaders need to be less reactive and reliant on technology-only solutions, instead taking a proactive, cultural approach to security through deep examination of their existing practices.

Over the next couple of weeks, we will help provide that depth by combining three successful ideas into one innovative approach, assessing PPT (People, Process, and Technology) through the lens of the CIA (Confidentiality, Integrity, Availability) triad in a Zero Trust culture.