As the world becomes increasingly digitised, organisational security cultures are being put under the microscope. At CommBank, we’re focused on creating a cyber-accountable organisation. 

We have a long-established security awareness program comprising a multilayered range of initiatives. However, this has traditionally resembled a one-size-fits-all model.

We recently augmented these activities, recognising that a more role-specific approach to training is required to foster cyber accountability at all levels of our organisation. Honing in on the information pertinent to job roles makes it more relevant and more effective, as employees learn exactly what they need to do in their specific role to mitigate cyber risks.

We’ve adopted the mantra that cyber security should be everyone’s business – just as all colleagues use our technology, so, too, should everyone feel responsible for safeguarding the corporate and customer information accessed through that technology.

No matter who you are, what your role is, or where you work, you need to understand and be accountable for cyber security.

The research1 tells us that a strong security culture will ultimately increase the visibility of potential security issues, thereby reducing your risk and leaving you more resilient to potential cyber security incidents.

Framing cyber risk

Our first step in this journey has been rolling out cyber security training specifically targeting our senior leaders. Why did we start with them? Culture needs to be role-modelled from the top, and we realised that we needed to equip our leaders with the skills and confidence to engage with cyber accountabilities.

A key goal for this training was to make cyber risk feel more tangible. It’s easy to underestimate the sense of cyber accountability that comes when employees can contextualise cyber risks directly to their role, their line of business, and ultimately their performance.

Many organisations fall into the trap of presenting new hires with the information security and acceptable use of technology policies on day one and expect cyber accountability to automatically follow.

At the other end of the spectrum, organisations that use a “shock and awe” approach in security awareness training can also fail to hit the mark. This is because, while intriguing, it is hard for people to connect with stories about sophisticated nation-state cyber threat actors or technical descriptions of the latest breed of ransomware.

The relevance of this information in relation to a day-to-day role and risk management is often unclear. So, the best path towards a cyber-accountable culture lies somewhere in the middle – demonstrating how cyber risk typically manifests in your business through people and processes, as well as technology.

Using easy-to-understand, relatable internal or external case studies can prompt productive conversations about security. Speaking the language of your target audience will also increase understanding of the message.

At CommBank, our training opened with a short ice-breaker, in which we presented a list of activities happening every day in our business and asked participants to identify cyber and information security risks.

This activity sought to dispel two common misconceptions that many employees, even our most senior leaders, hold about cyber security: that it is predominantly concerned with protecting against sophisticated cybercrime or espionage activity, and secondly, that it is almost solely a technology issue and therefore not their responsibility.

Finding the right “so what?” to engage your audience

With a range of motivated external cyber threat actors looking for an open door to your organisation, and your employees either intentionally or accidentally leaving the door ajar, a cyber-security incident can impact the confidentiality, availability and integrity of your business operations in many ways.

These are the “hows” and “whys” that can be used to demonstrate the importance of cyber accountability at all levels of your organisation.

Cyber security incidents have typically been presented in news headlines through the narrow prism of data breaches, which, while catastrophic for individuals impacted, were generally considered survivable by culpable organisations.

However, the emergence of ransomware has demonstrated the crippling impact to business operations that comes when the availability of your information is threatened.

In framing cyber risk within your organisation, you could ask these questions:

  • Do we think that events reported in the news could happen to our business?
  • How would a cyber-security incident impact the confidentiality, integrity and availability of our information and therefore also our business operations?
  • What would be the impact of a cyber-security incident on our bottom line, and would that be survivable?
  • Based on the above, if we didn’t think we could afford to implement good security, do we now think we can’t afford not to?

Cultural transformation

Cyber accountability doesn’t come through training and awareness alone, which is why it’s essential to embed security into the fabric of how your organisation operates and demonstrate how strong cyber security supports your organisation’s purpose and outcomes.

A cyber-accountable organisation is one in which there’s a shared sense of ownership – everyone understands how cyber risk manifests up or downstream from their role in the business.

And just as with workplace health and safety, everyone feels compelled to take action and encourage good behaviour, because everyone benefits.

The target should be the seamless integration of security and protective behaviours into day-to-day operations1. Foundational to this is a culture of psychological safety, rather than leading with fear and blame, characterised by:

  • An understanding and acceptance that things are going to go wrong from time to time
  • A safe space to speak up exists when an issue is identified
  • Encouragement to report suspicious activity
  • Establishing your cyber security function as helpers rather than blockers or consequence enforcers
  • Positive feedback and reinforcement
  • Promoting ongoing engagement and learning rather than time-boxed training and awareness.

Follow these guides and you will be well on your way to creating a cyber-aware culture in your organisation. You’ll find more information about cyber security at CommBank Foresight, insights for future-facing businesses.

This article was written by Sam Wood, Senior Manager, Security Awareness; Melanie Timbrell, Senior Manager, Security Awareness; and Angie Russell, Enterprise Services Graduate at CommBank.

 

Things you should know

1 https://www.isaca.org/-/media/info/cybersecurity-culture-report/index.html

This article is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as financial product advice. You should consider seeking independent financial advice before making any decision based on this information. The information in this article and any opinions, conclusions or recommendations are reasonably held or made, based on the information available at the time of its publication but no representation or warranty, either expressed or implied, is made or provided as to the accuracy, reliability or completeness of any statement made in this article. Commonwealth Bank of Australia ABN 48 123 123 124. AFSL and Australian Credit Licence 234945.

The links within this article will bring you to a third party website, owned and operated by an independent party over which CBA has no control ("3rd Party Website"). Any link you make to or from the 3rd Party Website will be at your own risk. Any use of the 3rd Party Website will be subject to and any information you provide will be governed by the terms of the 3rd Party Website, including those relating to confidentiality, data privacy and security. 

Unless otherwise expressly agreed in writing, CBA and its affiliates (collectively "CBA") are not in any way associated with the owner or operator of the 3rd Party Website or responsible or liable for the goods and services offered by them or for anything in connection with such 3rd Party Website. CBA does not endorse or approve and makes no warranties, representations or undertakings relating to the content of the 3rd Party Website.

CBA disclaims liability for any loss, damage and any other consequence resulting directly or indirectly from or relating to your access to the 3rd Party Website or any information that you may provide or any transaction conducted on or via the 3rd Party Website or the failure of any information, goods or services posted or offered at the 3rd Party Website or any error, omission or misrepresentation on the 3rd Party Website or any computer virus arising from or system failure associated with the 3rd Party Website.