Promoting a Culture of Cybersecurity

Criterion | Cybersecurity CoE

Promoting a Culture of Cybersecurity


By Bob Heckman, CIO, Criterion Systems

NIST’s recent guidance that cybersecurity is everyone’s job urges organizations to build a company culture that promotes cybersecurity. Social engineering attacks have been on the rise for years because people remain the weakest link. Psychologically, people tend to trust first rather than to distrust; this is how we are wired for many great reasons and it’s unlikely we will change. Therefore, it is not surprising that IT and historical security models have proven to be ineffective over the past decade.

Despite the tremendous growth and sophistication in cybersecurity defense technologies attackers continue to find ways in, primarily through exploiting people’s inherent weakness: trust. Cybersecurity must become each employee’s responsibility through training that enhances their ability to spot fraud and maliciousness as early as possible and encourages them to access systems and data responsibly – even at times when it is less convenient. Institutionally, incorporating cyber risk into the overall enterprise risk management process and investing in building greater awareness for employees through training and processes enforcement offers the greatest return on investment. For end-user best practices, please see Criterion Systems’ blog post, “Creating A Culture Of Cybersecurity In Your Organization.”