Securing a Security Mindset
Once bitten, twice shy.
I learnt this idiom back in school, on how people would become especially afraid or extra cautious around a dangerous or unpleasant situation that they had suffered or experienced before.
Unfortunately, the converse also seems to be true: too many people don’t seem to care or be cautious about dangerous situations until and unless they have suffered from such situations. We see this in how lightly some people treat COVID-19 precautions, where they do not adhere to safe-distancing measures or do not wear a mask. And if they do wear a mask, not wearing it properly by leaving the nose uncovered or wearing it too loosely, making it ineffective.
This also happens in IT security, where security is often not taken seriously enough. Sure, security solutions might have been adopted and security measures put in place, but these may be patchy and even then, may not be adequately patched!
We all know that prevention is better than cure (another idiom I learnt in school!), but often lack the will or motivation to take preventive measures. Our natural inclination is to only do what is required, and preventive measures run the danger of being regarded as “not really required” as they appear not to yield any tangible results.
For organizations to overcome such natural inclinations in its employees, it is necessary to build and inculcate an organizational culture that values and practices cybersecurity as an integral part of the work ethos. Chris Romeo in TechBeacon suggests 6 ways that an organization can build a healthy security culture:
1. Instill the concept that security belongs to everyone
2. Focus on awareness and beyond
3. Have a secure development lifecycle
4. Reward and recognize people that do the right thing for security
5. Build a security community
6. Make security fun and engaging
But beyond building a healthy security culture, what is needed is a mindset change such that everyone regards the measures needed for cybersecurity as necessary. With such a mindset change, people will practice good cybersecurity habits even when no one is watching – and whether or not there are punitive measure for not doing so or rewards for doing so. And here, I would like to suggest that the organization’s Leadership Team plays a pivotal role in effecting this mindset change.
The Leadership Team sets the tone and direction for the organization’s priorities, for what it wants the rest of the organization to focus on. The Leadership Team not only needs to prioritize cybersecurity as an organizational imperative, but the members of the Leadership Team must themselves practice and be seen to be practicing good cybersecurity practices. For a successful mindset change, you need a Leadership Team that leads by example and walks the talk for the rest of the organization to follow.
The problem, however, is that not many organizational leaders want to or see the need to build a security culture. They think that cyberattacks will not happen to them as they are too small, or too obscure and unknown for hackers to bother with. Or they may think that cybersecurity is too expensive and difficult to implement.
The reality is that every organization is fair game for hackers. So, if we want a more secure organization, then we must make a start somewhere – and the best place to start is for the leadership to have a security mindset, and to start practicing good security hygiene practices in their day-to-day work. While only some cybersecurity practices may be included, this has the potential to cut down on a lot of security issues, and sets the stage for a wider adoption of a security mindset in the organization.
Changing mindsets takes time and is not easy. But in today’s connected world, it is essential when it comes to cybersecurity. We need to remember that it is always better to be safe than sorry.
When it comes to IT security, you will always want to be safe rather than sorry!
See how NetGain’s SIEM solution helps keep you and your IT infrastructure safe.