OTRS : Rethink Creating a Culture of Cybersecurity Awareness

Changing values related to cybersecurity

When we talk about values, we are talking about giving something worth. Giving it meaning and importance in the lives of those around us. So, if the 'fear factor' isn't enough to inspire action, how do we give cybersecurity value in the eyes of our employees?

Certainly, leading by example is key. Both in terms of talking-the-talk and providing budget for cyberdefense efforts, leadership in all lines of business must understand the importance of cybersecurity and must routinely encourage people to take appropriate actions. And, of course, they must do so themselves: you can't tell others to change their passwords and then retain yours for 25 years because it's easier that way.

Sometimes though, people need more before they place value on an idea. Think about a sport that you participate in and value. You brag about your accomplishments on the field. You celebrate successes with your team. You might encourage someone else to give it a try and support them in doing so.

The same is needed with cybersecurity initiatives. People must be regularly encouraged and reminded about how important their role is. They must be celebrated for putting the effort in: they need to be thanked when they raise a red flag, admit a mistake or follow policies.

Changing goals pertaining to cybersecurity

All goals take measurement to be successful, but how do you measure awareness and uptake around this issue? Remember that this is about shifting the culture, so you don't want to use tried-and-true technical KPIs, like number of incidents or cost per incident.

Instead, think about how to measure employee involvement:

• Are people reading the information that you provide? What type of click rates do you get? Open rates?
• Are they agreeing to policies and procedures? How many turned in a signed copy of the policy? How many completed training?
• Are employees actually more aware of their role in cybersecurity? Perhaps survey them annually to find out what they know and don't know.
• Is the IT department getting more requests to evaluate apps/programs? Or more reports of suspicious activity?

And, keep in mind that a cultural shift needs to be a collective effort, so don't keep the numbers hidden. You may even want to celebrate the effort a bit: 'Hey everyone, we were at 85% awareness last year. Let's see if we can hit 92% this year! First person to turn in their survey gets a prize!'