cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lwhite
Newcomer III

Best Practices to Develop a Cyber Security Culture

Just started a new cyber security role.  Need to build out a complete cyber program (from scratch) one in which I will lead a cyber security awareness training and culture.  Welcome suggestions regarding innovative ideas, tools, thoughts.  Need to get some quick wins!

Thank you! 

10 Replies
rslade
Influencer II

> Lwhite (Newcomer I) posted a new topic in Career on 04-29-2019 11:51 AM in the

> Just started a new cyber security role.  Need to build out a complete cyber
> program (from scratch) one in which I will lead a cyber security awareness
> training and culture.  Welcome suggestions regarding innovative ideas, tools,
> thoughts.  Need to get some quick wins!

Go to https://www.noticebored.com/ and buy a subscription, then get on to some
of the other things you need to do ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
He who knows all the answers has not been asked all the questions
- Confucius
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
CISOScott
Community Champion

The key to developing a good cyber security culture is to build security capital with those that you deal with on a regular basis. One of the easiest ways to destroy your security capital (even though you may be 100% right) is to come in and start pointing out all of the things that are wrong with the current cyber situation. Start making a list of what you see needs to be fixed or what I call (areas for improvement) and then prioritize the list. If you see an area that is lacking, gather the information on why it is that way. There may have been a valid reason for it being that way (even if the valid reason was only valid 20 years ago!). Then look to see how to approach the problem.

 

One of the worst things you can do is not to understand the organization's culture and just go about trying to fix things. You will find yourself battling against internal giants you didn't know existed. For example:

At one placed I worked the organization's culture was run by fear. They feared making any changes because they might screw something up. They also feared for their jobs. Any of my ideas that increased their fear would be met with immediate resistance and they would look to form internal collaborations against me. Luckily I knew about the magical trick of understanding the organization's culture before I started making suggestions, or else I would have failed like the previous CISO.

 

At another placed I worked the organization's culture was run by ignorance. They pretended like they were just a small government agency so no one would want to attack them. They also promoted some incompetent people into management who had no business running the IT shop. I did not understand the organizational culture dynamic and I threw one great security idea after another at them (which basically exposed their incompetence without me realizing it!). They fought me tooth and nail and I ended up leaving before any of my great (and 100% correct) ideas could take root. This was also early in my cyber career so if placed back there now I could function much better.

 

Build good security capital with the CIO, legal and HR teams. They will be crucial to your long term success. If something comes up that will expose those departments, meet first with them and ask them how they would like for this to come about so that they feel they have some input and control over the process versus feeling like you are throwing them under the bus.

AlecTrevelyan
Community Champion


@Lwhite wrote:

Just started a new cyber security role.  Need to build out a complete cyber program (from scratch) one in which I will lead a cyber security awareness training and culture.  Welcome suggestions regarding innovative ideas, tools, thoughts.  Need to get some quick wins!

Thank you! 


There are a couple of courses available from ISC2's PDI that could be useful for you:

 

Security Awareness Training - https://learn.isc2.org/d2l/home/7145

 

Building a Strong Culture of Security - https://learn.isc2.org/d2l/home/7188

 

I haven't taken either of them so can't comment on what they are like, but their descriptions seem perfect for your requirements.

 

Lwhite
Newcomer III

Thank you!  Will check it out.

Lwhite
Newcomer III

Thank you! Appreciate the input!
Lwhite
Newcomer III

Thank you!
Lwhite
Newcomer III

Great advice! Many thanks.
Lwhite
Newcomer III

Will check it out! Thank you.
Steve-Wilme
Advocate II

Before you kick off your initiative lookup "Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity, ENISA, Dec 18" as it provides a useful counterpoint to some of received wisdom in InfoSec.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS