Bridging the cybersecurity culture gap
Everyone seems to be talking about “workplace culture” these days. Although the concept has been around since the 1980s, businesses and government agencies are now realizing the importance of “the way we do things around here” to retaining valued employees and adding value to the enterprise, according to a Deloitte University Press report.
Now, some want to apply the concept to cybersecurity. Instilling a “cybersecurity culture” could improve any organization’s ability to safeguard its data, systems and networks, the theory goes. The National Cyber Security Alliance calls for a “culture of awareness” around cybersecurity in every workplace. But how do we make this happen? How do we create a culture in our organizations in which cybersecurity is a top priority at every level, from the boardroom to the break room?
For clues, we might look to security’s cousin, safety.
Although preventing accidents at work is a given in most workplaces today — so much so that “Safety First” signs seem almost cliché — safety hasn’t always been a priority. Since the Industrial Revolution, workplace safety has undergone a number of transformations, with many injuries, deaths, and lessons learned along the way. Accidents became the exception rather than the rule only in the last 50 years or so, since organizations began examining attitudes and perceptions around safety throughout the workplace, and how they affect practices.
The Australian Radiation Protection and Nuclear Safety Agency traces the evolution of safety in several stages, or “ages”:
- The age of technology: Starting with the Industrial Revolution some 250 years ago, machinery failures and flaws bore most of the blame for workplace accidents. Engineers strove to improve worker and plant safety by designing safer technology.
- The age of the human: After major accidents such as the Three Mile Island nuclear meltdown in 1979 pointed to human as well as technical deficiencies, engineers began factoring the human into their designs, aimed at correcting, compensating for, and even anticipating mistakes.
- The age of the organization: Disasters including an airplane crash and an oil spill prompted a new look at assumptions around safety — with people asking not only how these accidents happened, but why. Human and even technical failures were seen as the tip of the iceberg, indicating a lack of leadership at the highest levels, prompting a focus on improving an organization’s “safety culture.”
Evolving out risk
Researcher Philip Sutton lists four shifts in emphasis characterizing the evolution of workplace safety culture:
- From employee responsibility to management responsibility.
- From post-accident coping to prevention.
- From non-systematic management to whole-system management.
- From risk reduction to risk elimination.
When managers took up the safety mantle — establishing and enforcing protocols around safety, providing worker training, and encouraging supervisors and employees to report hazards — accidents and injuries declined sharply. Eventually, most organizations established strong workplace safety programs aiming not just to minimize risk, but to eliminate it altogether, according to report in the Huffington Post.
The impetus for these changes came from organized labor and laws, but they succeeded only where top-level executives encouraged and supported them. Studies have shown a direct correlation between management commitment and worker safety.
In other words, to instill a culture of safety in any workplace, the impetus must come from the highest levels — and the message must be, “We are all in this together.” When every employee, from entry-level to executive, feels a vested interest in their own safety as well as that of colleagues and even the organization itself, then the goal of “zero risk” may at last become attainable.
Could the same be true for cybersecurity?
The cybersecurity shift
In the “Technological Revolution” of today, new technologies have exposed our workplaces and employees to new threats —of identity theft; data theft and manipulation; compromises of confidential, even proprietary information, and more.
Initially, organizations focused on improving the technology with firewalls, anti-virus software, malware scanners and other “fixes.” Then, however, hackers began using phishing and social-engineering schemes to gain access to systems, requiring a shift in focus to the humans using them.
As large-scale breaches continue, however, cybersecurity, too, may need a cultural shift — one that, like successful safety cultures, is designed around processes, not functions; is inclusive and collaborative across all departments, offices, and levels; encourages and incentivizes shared responsibility, and retains flexibility, allowing us to learn, change, and grow.
Changing a workplace’s culture can be daunting, especially across multiple agencies or locations. But, as advances in workplace safety show, it’s doable with support from the top — and the “trickle-down” effect, resulting in buy-in at every level, may help us not only to reduce risk, but to eliminate it.
As we look toward the future — a continual mandate in the cybersecurity profession — we would do well to consider the lessons of the past, and what has worked in other realms such as organizational safety, and safety culture. How can we rally our workforces around cybersecurity in a way that goes to the very heart of our organizations — to the culture that defines us?
JR Reagan is the global chief information security officer of Deloitte. He also serves as professional faculty at Johns Hopkins, Cornell and Columbia universities. Follow him @IdeaXplorer. Read more from JR Reagan.