With 95 percent of breaches tied to human error, is it upon the leadership of an organisation to ensure that a “cybersecurity first culture” is cultivated?

Speaking at the UK Cyber Week event in London this week, Robert Hannigan - former director of GCHQ and now head of international business of BlueVoyant, cited statistics that suggested “80 percent of the problems are tied to ten percent of the workforce,” and asked “why are we not communicating with the other 90 percent, and how do we communicate with the other ten percent?”

Awareness vs Vigilance

Hannigan said that awareness education, when done internally, often involves talking about threats, and scaring people and “how awful things are” when the objective for CISOs is how their day-to-day vigilance should be better.

Hannigan cited the top five things that a business should be doing in cultivating a cybersecurity-first culture:

• Be better at communicating, where your friend is in internal comms as you will need expertise to drive this.

• There is a difference between training, and in developing software, so tailor it correctly. 

• Consider your demographics, as some employees like gamification, while others want advice and something to report.

• The fact that people don’t understand all of the problems.

• Engage leadership at all levels and divisions, and have cybersecurity as a common brand for all to be cyber aware.

Health and Safety

One area Hannigan was keen to stress was the concept of looking at what works, and cited health and safety advice in one business he had worked with, where there were posters encouraging staff to  ‘hold the handrail.’ He explained that this advice instilled a culture of safety and resulted in a 100 percent drop in incidents.

“Use the health and safety model of what works, and how to get the same thing for cybersecurity and reflect on what works that you may spread into cybersecurity,” he said. 

Following the roll out of the proposed details of the Cyber Security and Resilience Bill at the start of this month, Hannigan said that resilience “is cross functional” and getting the pillars of cybersecurity understood is critical. Having been involved in recoveries, he said it is clear  where the problems are: drawing on “muscle memory is at the heart of culture change,” he claimed, so the key is to get the organisation to be familiar with pillars and processes, and not panic when an incident hits.

“Culture change can empower people, as people can be very stressed in an incident and fragile, and you can't do culture change without worrying about people in your care,” he said. 

He also discouraged a blame culture, saying this “leads to more failure” and you need to know about what failed and learn from the failure.

“Don't stop the culture change,” he said. “You can never say you've ever done it. You could just say you've made a start and you're hoping to be heading the right direction.

Guidance

The past month also saw UK government a code of practice, offering guidance for business leaders on cybersecurity issues. Speaking to SC UK, Hannigan said that the guidance was timely, as whilst cyber issues are not for the day-to-day management and cyber governance, but these issues do require some engagement with leadership.

“I think it's really helpful for boards,” he said on the code of practice. “It's helpful because I think the big challenge has been how to be able to understand risk and ultimately what they are missing. I think that is very helpful for non-expert boards.”

He also cited the similarity to the advice given in the 10 Steps to Cyber Security, saying this advice was just a “first attempt to change the way people think” and whilst there are overlaps, “this is a really efficient and offers practical ways to help.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.