Q&A: Best Practices for Building a Culture of Cybersecurity
With cybercriminals increasingly well organized, companies must infuse cybersecurity awareness into their corporate culture.
- Cybersecurity preparedness and widespread cybersecurity awareness throughout an enterprise go hand in hand.
- Integrating cybersecurity into the corporate culture means infusing it into every business-related activity — from operations to marketing to product design.
- To change employees’ behavior and influence their hearts and minds, a simple reward system can be very effective.
“Cyberattacks are increasing in frequency, sophistication and impact. Defending against them requires a new perspective on the attacks and the attackers.” So declares Keri Pearlson and her co-authors in Casting the Dark Web in a New Light, an MIT Sloan School of Management publication.
With cyberattacks increasingly threatening businesses, CISOs and cybersecurity professionals need new approaches to protect their companies, says Pearlson, executive director of Cybersecurity at MIT Sloan. Central to this is infusing cybersecurity awareness into an organization’s culture, and this, says Pearlson, is an enterprise-wide project. “People have to get involved at multiple levels,” she notes. “It's not just the CISO's job.”
In the interview with Mimecast contributor Mercedes Cardona that follows, Pearlson explains how cybercriminals have become increasingly organized and some of the best practices companies need to follow in order to fight back.
Editor’s Note: This is the second in a series of interviews with leading cybersecurity experts from academia, research institutions and the private sector.
Mimecast: So how does a company create a culture of cybersecurity? Does cybersecurity awareness training help?
Keri Pearlson: Many companies have compliance training programs and they are useful for a number of things. One is they can check the compliance box that they have this. But another is that they set a baseline for their employees.
The most effective training is something that happens in the moment, when I need it, not something I took when I started the job. We want the general employee — not the cyber team, but you and me — to do certain things. We want them to not click on a phishing email; we want them, if they see a weird website or something, to report it. We want them, if they happen to — by accident or on purpose — click on something that launches something that they didn't expect, to tell us so that we can go investigate it. We want them to not plug in thumb drives that they find outside and don't know what's on them.
We want teams to work together. If you see something that looks odd, we want you to turn to your colleague and say: “I just got this, did you get something like this, or have you seen it?”
These are behaviors that we want to drive. But behaviors are driven by values, attitudes and beliefs. If you think it's important, you're probably going to do something about it.
Mimecast: In your articles, you discuss security as it relates to operational technology versus information technology. Can you explain what that means?
Pearlson: We're talking about technologies that are used to run a company. It could be manufacturing or industrial controls, utilities, boilers and chillers or big offshore oil rigs. There're all sorts of technologies that run our companies these days, and the people running them are OT — operational technologists. Information technologists tend to be people that are working with information, and the core of their work is digital — like banking or credit card processing or organizational data of some sort.
The OT people already have a very strong culture of security. You're on an offshore oil rig; you're in a boiler-chiller plant; you're in a manufacturing plant that's got machinery going. You're already safety-conscious; you're not going to stick your finger on a piece of equipment because you want to see if it's hot.
We want to make sure that this security culture extends to include information security. For example, you don't want somebody hacking in and changing the settings — turning the boiler up so that it explodes. These operational systems are digitally based, but not in the way we traditionally think about information systems. IT departments don't necessarily manage OT. The OT is managed by a separate group, usually the people running the operations.
We want to apply the same safety rigor that already exists in these OT environments to the information or digital side of their operations. And they may not be thinking about it that way.
Mimecast: How do you create this kind of cybersecurity awareness in a recessionary economy, when businesses are faced with so many other competing priorities?
Pearlson: This is the art of management. Managers have to figure out what the priorities are and where they're going to devote their attention. What I can tell you is this: If you don't spend your attention on protecting your company cyber-wise, you’re leaving yourself vulnerable to some huge risks. That's the decision that managers have to make.
There are certain values, attitudes and beliefs about security that you can’t control. You can't control what country you're in, and some countries value security and privacy more than others. You can't really directly control the regulations you're under.
But there are many things that a manager can do, and we call those managerial mechanisms. Those are what managers can do to change people's hearts and minds.
One company we work with, an insurance company, hired a leader to build a cybersecurity culture. This was a managerial decision; they put resources behind it. They hired somebody and her job is to make sure that the values, attitudes and beliefs about cyber are in line with what the company wants to see.
Personally, I think that was a brilliant decision, because a marketing person knows how to change hearts and minds. That's what marketing is all about. It's making you understand what's important.
Mimecast: Getting management’s buy-in is conventional wisdom, but how do you work your way down the ladder to the company’s end users?
Pearlson: People love rewards. Another company shared with us some of the things they do; They ran a campaign, where they gave people a cookie when they demonstrated something. It was a chocolate chip cookie, and they had so many people doing what was asked of them because they wanted a cookie. It's very simple, but that reward system changed people’s values; changed their beliefs.
Another example: The same bank’s cybersecurity evangelist went around and put little Post-it notes in unconventional places: "Have you changed your password lately?” “Did you lock your computer before you came to this coffee machine?" To raise the issue, he carried out his campaign where people were congregating.
During another company’s all-hands meeting — all hands, so that's all employees — the CEO began with a cybersecurity moment. I'd like to write a book: entitled Cybersecurity Can be Free, because there're so many little things you can do that cost little to nothing, like a cookie or like starting your employee meetings with five minutes of discussion on the latest cybersecurity issue.
Those kinds of things work to win the hearts and minds of everybody in the organization. If you think it's important to your boss, you're more likely to think it should be important to you. And conversely, if your boss never mentions it, you may not know that it's important to them.
[For example],we have another project in the product development space. We’re researching how to change the hearts and minds of product developers, so that they build for cybersecurity, just like they built for manufacturability and ease of use and maintenance. And in one company we studied, the managers never said to their developers: "We want you to build for cybersecurity.” They just sort of assumed that they knew it.
Mimecast: As more IoT devices come online, from your car to your refrigerator, won't these become part of the equation?
Pearlson: Of course, and one of our other findings is that when it comes to big-name, branded products, customers assume that cybersecurity is already built in.
But if that’s true, then how does it happen? Not because the designer thought to build it in. If it's secure, it’s because the design process in place made sure that the product came out secure. That's a very different thing. It's much more expensive to retrofit something with security features than it is to design with cybersecurity in mind right from the start.
Mimecast: You co-authored a report on the Dark Web that discussed the new cybercrime business model. How is the nature of cybercrime changing?
Pearlson: Hollywood would have us think that the hackers are all hooded, tattooed, pierced people sitting in dark rooms with multiple screens in front of them. And these people do exist. But today it's a bigger business than that. And that's what the ‘aha!’ moment of that paper was. When we did our research, we found a number of cybercrime as-a-service offerings on the Dark Web.
Would-be hackers can buy all of the components that they need as a service and then tinker them together to form their attack vector. And the Dark Web is so well organized, they have support desks. There is somebody you can call or deal with on the Dark Web that'll help you put it all together.
These are regular businesspeople with bad ethics. They share information amongst themselves, so they know how to maximize the value from their business.
[Conversely], if we're not good at sharing information about how we're getting breached, then we can't learn from each other, and we're just setting ourselves up to be constantly attacked.
Mimecast: Are enterprises still focused on the hacker in the basement? Do they need to acknowledge that cybercrime is now organized crime?
Pearlson: I think many corporations have come around to that. But I'm not even sure that they think about who it is, other than is it a nation-state or some sort of hackactivist, or is it just someone that wants money? These people are organized — but they aren't necessarily organized crime. They're just really smart, technologically savvy people who are businesspeople.
Mimecast: Given all this, what steps do companies need to take to play better defense?
Pearlson: The authorities are very good at this — the three-letter agencies: Homeland Security, FBI, whatever your local authorities are. Even many larger police departments have cyber arms now. They have newsletters that they send out. They are very good at sharing what they have, what they know and what they can share. That's one way to protect yourself: to plug in with whomever the appropriate authority is for your business.
In chat rooms, on the Dark Web, you can see indications that an attack is being formed. Then you can proactively protect yourself.
If you knew, for example, that somebody was gearing up to attack insurance companies by disrupting [certain] processes, then you could take steps to protect yourself. You might shift your defenses to that particular area, for instance.
Mimecast: What should be the top priorities for CISOs and security professionals?
Pearlson: I'm a little biased; I think that the people side should be a priority. I think your people are your weakest link as well as your best defense. If I was looking at new initiatives for my company, I would seriously look at this. Where are the holes? Where are the vulnerabilities? How can we plug them?
That said, I think it's table stakes that all of your technologies are up to date. All of the patches that have been put out for your systems have been installed and fixed. There's some basic hygiene that has to happen.
For the smaller companies, you've got to start there: Make sure that your hygiene is taken care of. And then for the bigger companies or companies where the table stakes have been covered, then I think the next thing is to look at your people.
That's where our research into culture becomes is so important: How do you change the hearts and minds of your people? How do you build a culture of cybersecurity?