As the world becomes increasingly digitised, organisational security cultures are being put under the microscope. At CommBank, we’re focused on creating a cyber-accountable organisation.
We have a long-established security awareness program comprising a multilayered range of initiatives. However, this has traditionally resembled a one-size-fits-all model.
We recently augmented these activities, recognising that a more role-specific approach to training is required to foster cyber accountability at all levels of our organisation. Honing in on the information pertinent to job roles makes it more relevant and more effective, as employees learn exactly what they need to do in their specific role to mitigate cyber risks.
We’ve adopted the mantra that cyber security should be everyone’s business – just as all colleagues use our technology, so, too, should everyone feel responsible for safeguarding the corporate and customer information accessed through that technology.
No matter who you are, what your role is, or where you work, you need to understand and be accountable for cyber security.
The research1 tells us that a strong security culture will ultimately increase the visibility of potential security issues, thereby reducing your risk and leaving you more resilient to potential cyber security incidents.
Framing cyber risk
Our first step in this journey has been rolling out cyber security training specifically targeting our senior leaders. Why did we start with them? Culture needs to be role-modelled from the top, and we realised that we needed to equip our leaders with the skills and confidence to engage with cyber accountabilities.
A key goal for this training was to make cyber risk feel more tangible. It’s easy to underestimate the sense of cyber accountability that comes when employees can contextualise cyber risks directly to their role, their line of business, and ultimately their performance.
Many organisations fall into the trap of presenting new hires with the information security and acceptable use of technology policies on day one and expect cyber accountability to automatically follow.
At the other end of the spectrum, organisations that use a “shock and awe” approach in security awareness training can also fail to hit the mark. This is because, while intriguing, it is hard for people to connect with stories about sophisticated nation-state cyber threat actors or technical descriptions of the latest breed of ransomware.
The relevance of this information in relation to a day-to-day role and risk management is often unclear. So, the best path towards a cyber-accountable culture lies somewhere in the middle – demonstrating how cyber risk typically manifests in your business through people and processes, as well as technology.
Using easy-to-understand, relatable internal or external case studies can prompt productive conversations about security. Speaking the language of your target audience will also increase understanding of the message.
At CommBank, our training opened with a short ice-breaker, in which we presented a list of activities happening every day in our business and asked participants to identify cyber and information security risks.
This activity sought to dispel two common misconceptions that many employees, even our most senior leaders, hold about cyber security: that it is predominantly concerned with protecting against sophisticated cybercrime or espionage activity, and secondly, that it is almost solely a technology issue and therefore not their responsibility.
Finding the right “so what?” to engage your audience
With a range of motivated external cyber threat actors looking for an open door to your organisation, and your employees either intentionally or accidentally leaving the door ajar, a cyber-security incident can impact the confidentiality, availability and integrity of your business operations in many ways.
These are the “hows” and “whys” that can be used to demonstrate the importance of cyber accountability at all levels of your organisation.
Cyber security incidents have typically been presented in news headlines through the narrow prism of data breaches, which, while catastrophic for individuals impacted, were generally considered survivable by culpable organisations.
However, the emergence of ransomware has demonstrated the crippling impact to business operations that comes when the availability of your information is threatened.
In framing cyber risk within your organisation, you could ask these questions:
- Do we think that events reported in the news could happen to our business?
- How would a cyber-security incident impact the confidentiality, integrity and availability of our information and therefore also our business operations?
- What would be the impact of a cyber-security incident on our bottom line, and would that be survivable?
- Based on the above, if we didn’t think we could afford to implement good security, do we now think we can’t afford not to?
Cyber accountability doesn’t come through training and awareness alone, which is why it’s essential to embed security into the fabric of how your organisation operates and demonstrate how strong cyber security supports your organisation’s purpose and outcomes.
A cyber-accountable organisation is one in which there’s a shared sense of ownership – everyone understands how cyber risk manifests up or downstream from their role in the business.
And just as with workplace health and safety, everyone feels compelled to take action and encourage good behaviour, because everyone benefits.
The target should be the seamless integration of security and protective behaviours into day-to-day operations1. Foundational to this is a culture of psychological safety, rather than leading with fear and blame, characterised by:
- An understanding and acceptance that things are going to go wrong from time to time
- A safe space to speak up exists when an issue is identified
- Encouragement to report suspicious activity
- Establishing your cyber security function as helpers rather than blockers or consequence enforcers
- Positive feedback and reinforcement
- Promoting ongoing engagement and learning rather than time-boxed training and awareness.
Follow these guides and you will be well on your way to creating a cyber-aware culture in your organisation. You’ll find more information about cyber security at CommBank Foresight, insights for future-facing businesses.
This article was written by Sam Wood, Senior Manager, Security Awareness; Melanie Timbrell, Senior Manager, Security Awareness; and Angie Russell, Enterprise Services Graduate at CommBank.