By Madison Iler   /   Dec 9th, 2020

The Human Elements of Building a Strong Cybersecurity Posture

A few weeks ago, my colleague Dan Featherman, LMG’s chief technology officer, wrote a great blog on five “quick wins” to jump start your cybersecurity program. I strongly recommend organizations review Dan’s list and implement any recommendations that are not already in place. But at the same time, Dan’s quick wins inspired me to put together a different list – four aspects of the human elements needed to build a strong cybersecurity posture.

This blog looks at the role people play in cybersecurity and the importance of including these elements in your overall cybersecurity strategy. I’ve also included links to some previous LMG Security blogs that provide more details and specific suggestions on these topics. If your organization has room for improvement in any of these areas, consider including them in your 2021 cybersecurity plans as it will strengthen your overall cybersecurity posture.

Leadership Engagement is Crucial

To build a strong cybersecurity posture, you must have consistent, visible management support and engagement. Senior leaders in the company should be talking about security regularly and conveying its importance. And it can’t be only IT management beating this drum. Cyber risk affects the well-being of the whole company; management, staff, and customers all play a role in reducing risk.

How can you maximize the benefits of cybersecurity leadership? An executive team or board-level training session on current threats and potential impacts can be eye-opening for many people. Helping your senior management understand the reality of cybersecurity risk can quickly get them on board to help spread the message and create a cybersecurity-aware culture across the organization. In particular, many managers still think a company has to be “targeted” to be affected by a cybersecurity attack, when the reality is that most attacks are opportunistic in nature, meaning the criminals don’t care who clicks the phishing link, they’ll take it!

Once you have senior management on board, leverage their leadership to implement short security topics at regular staff and department meetings. Also be sure they are kept informed of the organization’s cybersecurity posture, identified risks, and plans to reduce risk. A high level of management visibility into cybersecurity plans can also help get funding prioritized for tools, projects, and training.

Training is Part of Building a Strong Cybersecurity Posture

With leadership on board and senior management support for cybersecurity initiatives, you’re well positioned to build an effective awareness training program and create a cyber aware culture organization-wide. To truly reduce risk, training needs to be more than an annual check-the-box activity.

Be sure your training conveys overall risk to the organization and mission, how all employees can help reduce risk, and the “why” behind security requirements, such as multifactor authentication and long passwords. LMG Senior Security Consultant Delaney Moore wrote a helpful blog on how to incorporate these key elements into your training program.

Creating a Cyber Aware Culture

Leadership and awareness training will help build a security-aware company culture. Building a strong cybersecurity posture requires creating a company culture in which people are aware of risk, understand their own roles in reducing risk, and feel encouraged to question or report anything that seems suspicious or unusual. Be sure all users are given clear instructions on how to report things like phishing emails (especially if they clicked!), sensitive data stored in an unauthorized location, security concerns, indicators of account compromise, or insider threats.

Ensure your help desk staff, tech support, managers, and other user-facing roles understand the importance of non-judgmental support for anyone with questions or those who need a little more help adapting to changes like password storage solutions, encrypted email, and multifactor authentication. Many users may adapt quickly to these changes, but others may benefit from step-by-step tip sheets or a section on your intranet with guidance and FAQs to reference. Make sure department managers know what resources are available for anyone on their team who has questions or needs extra support or training.

Acceptable Use Policies

Even with training in place and a security-aware culture, it is important to issue clear guidance to users on what activities and behaviors are allowed and not allowed when using the company’s network or devices. For example, are users allowed to connect personal devices to the company network? Connect to personal email from their work computer? Use removable media or cloud storage to transfer information to clients or to their home computer?

These activities may or may not be allowed at different companies, which is why it is important to set clear guidelines and communicate them to users. Don’t assume everyone will just happen to make decisions that fit the company’s security expectations and risk tolerance. A common way to do this is through a user-facing Acceptable Use Policy. Start by explaining that part of building a strong cybersecurity posture is to reduce risks on the company device and network. Document the company’s rules and expectations, distribute it to users, provide an opportunity for discussion and questions, and ask users to sign or otherwise acknowledge their understanding of the rules and a commitment to following the rules. This blog expands on the importance of an Acceptable Use Policy and provides suggestions for writing an effective one.

Would you like advice or support strengthening any of these human elements within your organization? LMG Security offers executive level security briefings, user awareness training, policy development, and general advisory services to help organizations develop their cybersecurity programs and reduce risk. Contact us to see how our experienced consultants can support your cybersecurity goals.

About the Author

Madison Iler

Madison is LMG’s Chief Strategy Officer. She assesses organizations’ compliance with regulatory requirements such as HIPAA, and assesses the strength of their security program and overall security posture using widely-accepted frameworks such as the NIST Cybersecurity Framework. She previously served as a Senior Network Security Engineer for Lockheed Martin in support of the National Science Foundation, Security Engineer for SecureInfo, and Security Compliance Analyst for Raytheon Technical Services. Prior to moving into IT security, Madison worked in IT operations. She has also worked as a management consultant with McKinsey & Company. Madison earned her BA in Economics from the University of Colorado and her MBA from MIT’s Sloan School of Management. She holds her CISSP and HCISPP security certifications.