You must cast vision for effective cybersecurity.
The cybersecurity industry thrives off fear. Fear of missing out (FOMO), or fear that something deleterious will happen if you don’t act with haste, etc. Even marketing strategies appeal to a sense of fearful urgency! Anti-virus software companies tend to employ an “upgrade NOW before you are attacked” marketing strategy – not far from the same social engineering used to plant malware in a phishing email. There is a better way, and it starts with vision. It begins with administrators choosing to cast vision instead of fear for better cybersecurity. Our fourth Reasonable and Prudent measure, Administration Basics, helps you practically create and cast this vision for your company.
We’ve said it before, but cybersecurity is about more than technology. Cybersecurity must include company discipline and individual habits: Do employees leave crucial data on their desks? Are we building a culture of customer data care or are we degrading into lazy negligence? Even as we create policies, standards, procedures, and guidelines (although they may sound similar, each has a unique place in information security*), it is up to us as administrators to lend crucial support to a culture of data care. Here is where we start:
First, identify the roadblocks. We found a few. Sometimes leadership does not value or prioritize administrative policies for information security. Sometimes administration dislikes policy creation and is unable to do it well. What are yours? Which are the hardest to overcome?
Second, now that you understand the hurdles, you can forge ahead to overcome them. It’s helpful to utilize existing, quality resources (such as NIST policy templates to provide a solid starting point to address creation roadblocks) and bring others alongside you for support (e.g., Finance, Audit, and Operations – all of whom understand the value of policies and standards). Practically, this means nurturing a collaborative effort with members representing diverse ends of your department or organization; the more interdepartmental representation you have, the higher the chance of implementing policies throughout the organization. Also, it’s critical to use a “common person voice” – avoid industry jargon, obtuse acronyms, and incoherent sentence structure (e.g., don’t write like an attorney or a rocket scientist). If an eighth-grader can’t understand it, it’s not likely to gain adoption.
Finally, talk about it. Instead of using fear tactics, set the goal before your organization continually—we follow these policies to protect our customers. A couple of policies we recommend are the Acceptable Use Policy and the System Security Policy. We can be a part of a change in the way businesses and leadership view and implement cybersecurity. We can work together towards a more secure future.
*Want to learn more? Receive a free Reasonable and Prudent Guide for Small and Mid-Sized Businesses in your inbox by writing “Guide, please!” in the contact form here. And don’t worry—we don’t share your information with anyone else!