Building and Maintaining a Culture of Security

As network and system defenders and operators, it’s tempting to think of an effective security program as a series of technical protections designed to protect information and operational technologies from attackers determined to defeat those controls through complex exploits. Most of us embrace the concept of layered defense and understand that to be effective, security controls must be interlocking so that a failure or bypass of a single element does not permit an attacker to penetrate and gain persistence in a system. Most of us also understand that the threat signals generated by our sensor fabric must be continuously monitored and acted upon decisively now, and that “tomorrow morning” is often far too late. Cybersecurity standards are indispensable but make it all too easy to reduce a security program to an ineffective checklist-style compliance exercise.

Regardless of how much we invest in security technology and the dedicated staff to operate and monitor it, technical controls alone are never enough. They can be degraded or even bypassed completely by a single untrained, inattentive, or even malicious user. Cultivating a lasting culture of security by engaging every employee, contractor, or other system user as the first and last line of defense must always be the overarching control. It can also be the most challenging one to sustain.

Monthly phishing testing and annual training are table stakes, but the bar must be higher still. We must ensure every colleague is aware that personal information once difficult to obtain is often a public record or something that many choose to disclose on social media platforms—data that can be readily weaponized for social engineering by skilled and well-funded adversaries. We must teach that what may appear to be a technical glitch may really be a signal of an attack. Do our colleagues understand that a flood of MFA push requests isn’t a misconfiguration, but is instead an effort to induce fatigue and induce the person to acknowledge the request and mistakenly authorize an intrusion? Are our employees trained to recognize and report issues that suggest an insider threat may be lurking, and are we equipped to evaluate those suspicions fairly and quickly? Do our colleagues understand changing guidance (for example, why we no longer ask them to robotically change passwords every 30 days and instead only force a change if there is an indication of compromise)? Or are these changes a source of confusion?

An effective security culture cannot stop at corporate boundaries. Our suppliers are also an inextricable component of the risk we must collectively face. As the Wall Street Journal aptly described in 2019 in the article America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It, small companies can be the Achille’s heel of well-defended large enterprises. Adversaries understand how to turn against us the trust we necessarily place in our business partners, in the emails and attachments they send, and in the requests they convey.

The investment we all must make in establishing and cultivating strong and shared security customs, expectations, and attitudes within and across our enterprises and supplier ecosystems is sizable. It is dwarfed, though, by the far steeper costs and reputational risks of a data breach; a business interruption caused by the disablement of a critical supplier; or the recovery from a crippling ransomware and extortion attack.