What is cultural cyber security?
Updated: Jan 21, 2018
October 4, 2017 | Dr James Carlopio
There are levels of thinking related to cyber security that seem to flow in a developmental progression.
Level 1: Technology If you have been at all aware of cyber security for the last year or two, you will also likely be aware that the problem, and the solution, is not technical. Of course, up-to-date technology, both hardware and software, are necessary for cyber security. While they are necessary, they are not sufficient.
Level 2: Compliance The inevitable next step is to start to think about the people factor. Our employees are now clearly the weakest link and therefore, many organisations start by focusing on policies and procedures to help guide staff and keep them and the organisation safe. Unfortunately, we know that while it is important to have policies and procedures, and to enforce them, not everyone will comply. As with technology, a compliance approach is another necessary, but not sufficient aspect of cyber security.
Level 3: Education and awareness The third wave in thinking about cyber security has moved beyond technology and compliance and is focused on awareness-raising, education and training of staff. Staff are educated and trained, subjected to internal testing, and then re-educated. The newest thinking seems to be talking about institutionalising cyber security and moving it into the C-suite and the Board. While, laudable, that is not really anything new. It is simply an extension of this third level of education and awareness-raising from staff to senior managers and board members.
Level 4: Cultural cyber security … a high-performance culture The forth level of thinking is cyber security where the entire culture of the organisation and its boundary environments (i.e., from safety, to IT, to HR and through all operational areas, from the hierarchical top to the bottom, from suppliers to customers and from work to home) all embrace a culture of care for each other, listening, 100% integrity, personal responsibility for security, speaking up and speaking out, and full commitment to zero harm in all aspects of security, safety and performance. This is the highest level of awareness and sophistication in cyber security. It is the holistic integration of people and technology, the visible (systems, policies and procedures) and the invisible (peoples’ values, attitudes and beliefs) that come together to give us the best change of fighting against organised crime and cyber-attacks. It is organised resistance. It is unlikely we will ever be 100% secure. Life is hazardous and if criminals are going to continue to try and cause harm, it will continue to exist as it always has. Our best defence is an attitude of conscious care, of constant vigilance and a high-performance cyber-security culture.