Cloud Security Culture vs. Compliance
Poor Security Practices Ruin Businesses
If you’ve been in the world for more than a few years, you probably already know the importance of being secure on the Internet. When it comes to running a company, this awareness should be magnified into a cloud security culture. You should know that a single successful cyber attack could ruin your reputation, cost you tons of money, shut your company down, or even land you in jail.
This article is not about whether or not you should have a strong security posture in your business, it is about whether or not you, as a member of your company, at all levels, understand the difference between just checking boxes and having an actual cloud security culture.
Cloud Security Culture Happens at the Top… or it Doesn’t Happen at All
I’m going to start off with a controversial statement: C-level executives, in general, do not understand what it takes to properly secure their company against cyber attacks. A few might. Some probably think they do. But for most? No.
This reality is an unfair position for them, because, almost always, your C-level execs are the ones with the responsibility to make the decisions that determine their company's security posture. They, ultimately, are the ones held responsible when “stuff” hits the fan.
I’ve been in their position. I’ve also been the cyber security nerd sitting at the board room table trying to convince leadership of the importance of having a cloud security CULTURE, and seeing the disastrous repercussions of leadership not taking it seriously.
For those companies that recognize at least some need for cyber security, there are two major drivers that should be mentioned.
Driver #1: Compliance with Auditor or Sales Requirements
Compliance is a necessary driver, but my least favorite. It is unhealthy when it is the only driver for cyber security. Meeting a checklist, or using cyber security as merely virtue signaling to get the next sale may get the job done. I’ve seen it for many companies.
The problems arise when you're checking off list items simply because others expect you to. With this kind of gamble, your security may be sufficient for a time. And with those minimally met controls in place, you may avoid many major cyber security threats. Just maybe...
Stopping at this point represents a disingenuous effort to actually protect your company. Cyber security is more than checking off the right boxes. This approach may work from a technical standpoint or even a procedural standpoint. However, it’s missing the “people” part of cyber security.
People are your greatest threat and your greatest protection. People have behaviors. Behaviors are what miscreants exploit using social engineering. Those behaviors are what truly determine your security posture as a company.
And to ensure that those behaviors enable and encourage security, leadership is responsible for building a well-defined culture that the people can model their behavior on. Leaders are not only responsible to ensure this culture, it is absolutely essential that they model it by their own behavior!
This is where having a cloud security culture comes into play.
Driver #2: Building a Cloud Security Culture
Here are some examples of statements you may hear that let you know if you do NOT have the proper perspective on security in your company.
- Cyber security is the IT department’s job, not anyone else’s.
- Security is just another department.
- I don’t need to do cyber security awareness training, my son already showed me how to use my cell phone.
- I have the best antivirus software on the market, so I should be safe.
- I use a Mac, so I won’t get viruses.
- Our company is 100% secure.
If you or your employees have ever said things like the statements above, you may be moving forward with your cyber security plans in an unhealthy way.
You cannot address the people side of cyber security without addressing the culture of your company behaviors. You need to challenge what people believe, and take a strong stance on security awareness and protection against social engineering.
When it comes to building a cloud security culture, company leadership, from top down, should:
- Enforce a culture of cyber security that all adhere to, in any position, especially leaders. If leadership thinks they are excluded from maintaining a strong cyber security posture, then serious conversations need to happen to change that. Lead by example. Also, a cyber security fact is that leaders are targeted by social engineering attacks more than most, because leadership has access to more sensitive information.
- Security awareness training. Security awareness training. And again, security awareness training. This means everyone. Your CEO should have just as much security awareness training as your CSO/CISO.
- A strong conversation and constant reminder to all departments… your leadership teams, directors, VP’s, accounting, billing, sales, IT, custodial, etc… that cyber security is everyone’s job responsibility. Literally write it into their job descriptions and performance plans.
Does it feel like I am being too extreme? Let me set your mind at ease, at least a little. A strong cloud security culture doesn’t mean you’re training the entire company to be cyber security experts. Security awareness covers training people on what to look out for while they do their jobs on a day-to-day basis. It’s about teaching everyone how people with mal-intent try to exploit them. These are skills that will help anyone in life, even outside of the company. It will help them protect themselves at home, their families and friends.
People are what it is all about. Yes, processes and technology are needed, but don’t forget that process and technology exist to help people!
Contact us to talk with cyber security professionals that can help you create a cloud security culture that will help ensure you have the protection you need for your business.