Cybersecurity Awareness Month is upon us, and this year’s theme is “See yourself in cyber.” According to the Cybersecurity & Infrastructure Security Agency (CISA), the theme was developed to demonstrate that “while cybersecurity may seem like a complex subject, ultimately, it’s really all about people.”

The theme may not be sophisticated, but it wasn’t created for cybersecurity specialists or other IT professionals. Instead, it was created to “ensure all individuals and organizations make smart decisions whether on the job, at home or at school – now and in the future.” CISA wants to raise cybersecurity awareness for everyone, especially your users.

That’s good news for you and other IT pros. CISA is calling out cybersecurity culture and making it central to your organizations’ cybersecurity success. “See yourself in cyber” basically democratizes cybersecurity, extending that responsibility beyond the IT department and distributing it across the organization. The theme extends the trend to democratize IT overall. And it issues a call to action: If you want to harden the cybersecurity of your organization, harden the cybersecurity of its culture.

Far from hard

If an organization’s culture is most accurately characterized by the way its users behave—and it is*—then judging by the numbers, the cybersecurity culture of most organizations is far from hard.

Verizon reports that 82% of the data breaches in 2021 involved people who fell for phishing, business email compromise, and other social engineering attacks or people who contributed to malware, ransomware, and other attacks. For the same year, Cisco says that phishing victims alone accounted for 90% of all data breaches while the World Economic Forum traces human error to 95% of cybersecurity issues.

“See yourself in cyber” advocates four simple actions that everyone can take to lower those numbers and improve cybersecurity, for their organizations and for themselves: 

• Enable multi-factor authentication

• Use strong passwords

• Recognize and report phishing attacks

• Update their software

Notice that none of the action items above requires cybersecurity technologies. There’s no software to buy or hardware to install, just behaviors to adopt and actions to take. That’s not a cost-cutting quirk of CISA and the US government, by the way. Vendors and consultants of every security stripe are advising users, for free, to slow down and investigate suspicious communications no matter how they’re delivered—email, text, website, voice, in person or on paper.

And if your users consistently perform those actions, the improvement in your cybersecurity culture will be significant, as will be the improvement in their own cybersecurity posture .

*About that asterisk: Actions speak louder than words when it comes to organizational culture. The values, beliefs, and ethics found in your organization’s mission, vision, and values statements only reflect its real culture if they consistently guide your users’ behavior. Otherwise, they reveal the culture your organization aspires to have some day rather than the one it has today. 

Cultivating consistent behavior 

To encourage users’ consistent, cyber-secure behavior, you should “make cybersecurity part of the organization’s fabric,” writes Beth Stackpole for MIT’s Sloan School of Management. Do that at all levels of the organization, from leaders in the C-suite to users on the front lines. 

Leaders need to prioritize cybersecurity, in word and deed, so that the rest of the organization embraces it as an intrinsic value. Users need to be aware of the cybersecurity threats and believe that their organization supports cyber-secure action. 

Seeking ways to weave cybersecurity into every level of organizational culture, Stackpole spoke with Keri Pearlson, executive director of Cybersecurity at MIT Sloan. The points below are informed by recommendations made by Pearlson and others.

Make it personal. Cybersecurity needs a champion within your organization. The cybersecurity champion may be a C-level executive—your CEO, CIO, or CISO—or another exec, whether a technologist or not. The champion is the authority on promoting the behaviors and beliefs that establish cybersecurity as a cultural priority. The champion keeps their eye on the cybersecurity ball, setting the vision and expectations as well as inspecting progress.

Make it meaningful. Cybersecurity must be defined in a way that’s meaningful for your users. They need to understand that this value is important to them and to the organization. Stackpole writes that one organization used the phrase “protect our data and systems” in lieu of the word “cybersecurity.” The substitution “made a huge difference…in building a culture of cybersecurity” because the word didn’t resonate for users while the phrase did.

Make it official. Hold users accountable for cybersecurity by making it an official part of their jobs. Let them know what is expected of them, what cyber-secure behavior looks like, and what actions to take or to avoid. Reward users when their actions promote cybersecurity, and correct them when their actions inhibit it.

Make it second nature. Beyond awareness and education of cybersecurity threats, users need to know what to do if they wind up clicking a link in a phishing email or giving out login credentials to a vishing scammer. Drill the responses into users’ with training exercises that include information such as who to contact, resources to lockdown or take offline, and other actions they can take to mitigate damage.

Make it holistic. Your organization’s values don’t exist in a vacuum, each isolated from the others. They exist in an interwoven whole that is greater than the sum of its interdependent parts. When you weave cybersecurity into your corporate culture, every other value the organization prizes and acts on is affected.

What happens to innovation, time to market, and user experience, for instance, when cybersecurity becomes a priority? Is the organization willing to let productivity sag as users work more slowly, cautiously, and deliberately? As different values rise and fall in importance over time, questions like these will emerge. Make sure that everybody in the organization knows the answers.

Make it realistic. At the end of the day, your users are still people. They’re going to have bad days, sleepless nights, get stuck in traffic, argue with family or friends, and endure countless other diminishments of body, mind, or spirit. While consistent, cyber-secure action is a laudable goal, set realistic expectations for your users: Look for their best efforts, not perfection.

See you in cyber

By encouraging the democratization of IT security in this year’s Cybersecurity Awareness Month campaign, CISA paints a promising future for IT teams and for the organizations they serve. For years, we’ve been watching information technology seep into every nook and cranny of our lives, on the job and off. Now, we can look forward to cybersecurity pervading our lives, and simultaneously hardening our organization culture.