The latest cybersecurity attacks – such as the one on the Transnet in South Africa – once again confirmed the importance of sound cybersecurity. And that security largely rests on a sound (cybersecurity) culture.
It is proven time and time again that there are no cybersecurity bulletproof organisations in this world. Multiple supercomputers in European institutions were recently infected with cryptojacking malware. Due to these incidents, the organisations where these supercomputers are located have been forced to stop their research to investigate the intrusions.
These incidents are yet another proof that cybersecurity is a key element in today’s world: not even the most advanced supercomputers are safe from cybercriminals.
But what are the causes of these vulnerabilities?
There are, actually, at least two big problems.
One of the biggest hurdles is an insufficient number of skilled cybersecurity professionals. It is estimated that there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014. The World Economic Forum (WEF) recently remarked that nowhere is the workforce skills gap more pronounced than in cybersecurity.
The MIT Technology Review indicated that out of four candidates who are applying for cybersecurity positions only one is qualified. No wonder then that there is a zero-percent unemployment rate of cybersecurity professionals.
The impact of this skill gap is severe. The Forbs recently reported that 74% of companies, surveyed by them, stated that the skills shortage is impacting their business, including the ability to keep their data and information secure. Furthermore, Burning Glass reported that the number of cybersecurity job postings has grown 94% in just six years but there are not enough suitable candidates to occupy these positions.
Cybersecurity culture, which is defined as the shared values, conceptions, attitudes, knowledge and behaviour of individuals and groups focused on creating security – or more precisely, lack of that culture, is another big problem for many organisations.
A cybersecurity culture aims to instil a certain way to ‘naturally behave’ in cyberspace, a way that subscribes to certain cybersecurity assumptions. However, for a cybersecurity culture to effectively counter the effects of the weakest cybersecurity link – the human factor – organisations have to address, end-user knowledge as well as their behaviour.
The culture in the cyber world, therefore, rests on two major pillars: awareness and education. Both of these pillars are inexorably linked to humans, i.e. end-users of modern digital technology.
It is, however, frequently reported that humans still pose the primary threats and vulnerability to the protection of organisational digital systems. Hence, all employees must take responsibility for maintaining a secure and vigilant culture at work.
Here we come to the redwood forests.
The redwoods lesson to cybersecurity
I have recently heard a story about redwood trees, which are one of the largest trees on the planet.
Some of these trees are hundreds or even thousands of years old. However, their roots do not grow deep. Despite this, these trees have been standing for centuries, enduring massive windstorms frigged blizzards and devastating earthquakes.
Rather a mysterious question arises: how did they keep standing?
The secret is fairly simple: the roots under the ground are, actually, reaching outward, seeking the roots of other redwood threes. When they meet, they intertwine making a permanent bond with each other. In this way, all the redwood trees in the entire forest, either directly or indirectly, giving support to each other.
Unity is their strength – they reach out to care for each other.
Accordingly, we should learn to act cooperatively to effectively protect our organisational and private cyberspace.
The security professionals are, often wrongly than rightly, blamed for the failure of organisational information security. As we witness, there are currently not even enough cybersecurity professionals ‘to be blamed’.
Again, instead of the blame game, we should develop a culture of working together and sharing responsibility.
As we have recently suggested, it is important to understand that there are three general layers responsible for securing organisational digital future.
The first layer consists of information security professionals responsible for, primarily technologically, protect organisational informational assets.
The second layer represents the company’s IT department that is in charge of supporting the organisation’s business goals and operations.
The third, enabling layer represents business leaders, managers and employees. The managerial part of this layer is responsible for strategies, policies and, equally importantly, the allocation of necessary resources for securing valuable organisational information resources.
All employees, however, should be responsible for executing organisational cybersecurity strategy, policies, practices and procedures. The awareness and knowledge of these duties should come through the development and implementation of a sound cybersecurity culture.
The organisational cybersecurity culture should also nurture open-mindedness. In other words, we recently suggested that organisations should realise the criticality of non-technical cybersecurity staff. It is a growing view that there is a need for a greater diversity of thought and backgrounds, which non-technical people bring to the cybersecurity field (e.g. psychologists, mathematicians, sociologists, philosophers and alike.
For example, the liberal arts experts are needed to ‘translate’ cybersecurity jargon to business people: “The frequent stories of cybersecurity teams not getting management support for the tools and personnel they need comes down to not effectively telling the cybersecurity story”, suggests Wesley Simpson, COO of ISC(2).
A few words on changing cybersecurity culture
We have, so far, a few times written about the topic and suggested to mind the first thing first: changing cybersecurity culture requires time and effort. This should begin with the risk assessment as there is no effective generic cybersecurity culture.
Setting achievable and measurable goals for building an effective cybersecurity culture is not possible without assessing particular threats, vulnerabilities and associated business risks. This holds for both cybersecurity of the organisation and the privacy of its employees.
The development of cybersecurity culture must consider many different technical and organisational factors. Although modern technologies are essential for confronting cyber threats, other factors such as effective and actionable policies, information sharing and user awareness must factor in organisational cybersecurity culture.
The increasingly mobile workforce and work from home also have an impact on organisational cybersecurity culture. Hence, companies should enforce and maintain a culture of acceptable mobile security behaviour.
Retiring to the story of the redwoods, to improve an organisation’s posture, cybersecurity culture must be built on the premise that it has to be a collective effort that interlinks cybersecurity practices with business operations.
This approach should also demonstrate that cybersecurity is not solely the function of often under-resourced security departments but of the whole organisation. An effective cybersecurity culture ensures that each employee develops a vested interest in protecting the organisation.