It has become increasingly clear that the technology, systems, policies and protocols cybersecurity professionals employ are only as strong as the habits of the people who use them. In the digital age, cybersecurity is paramount for every organization, yet building a strong cybersecurity culture remains a challenge. This challenge is not only about mastering the latest technologies or implementing the most robust protocols. It is also about influencing human behavior, mastering change management and fostering the right habits.
A significant part of this challenge lies in the human factor. As many as 88% of cloud breaches are due to human error.1 This includes misconfigurations, failure to implement the principle of least privilege2 and neglected software updates. These vulnerabilities, often overlooked in the face of complex technical solutions, present a significant risk to the security posture of an organization.
Start With a Habit Assessment
A solution to this conundrum emerged from an unlikely source: Atomic Habits3 by James Clear, a widely popular book published in 2018.
Clear's principles and philosophy, advocating for small yet consistent changes, should resonate deeply with cyberprofessionals. These principles, while not originally intended for use in the cybersecurity realm, can be creatively applied to construct a robust framework for a resilient cybersecurity culture. Clear's principles can be adapted to the cultivation of cybersecurity habits.
Laying the Foundation: Micro-Changes As a First Step
The initial principle drawn from Clear's book is the concept of starting small.4 Given the myriad complexities and technicalities of cybersecurity, it can often be an intimidating subject for many employees. Rather than implementing sweeping, large-scale changes that could potentially lead to confusion or resistance, teams should be steered toward adopting simple, manageable cybersecurity practices.
Rather than implementing sweeping, large-scale changes that could potentially lead to confusion or resistance, teams should be steered toward adopting simple, manageable cybersecurity practices.
The journey can begin with the fundamentals, for example, the management of cloud access rights. This involves regularly reviewing who has access to what information or resources and why, revoking access rights when an employee changes roles or leaves the organization, and implementing the principle of least privilege, wherein users are given the minimum levels of access necessary to perform their jobs. These minor changes, when consistently applied, can become the building blocks of an enterprise’s cybersecurity framework.
The cumulative effect of such microchanges can be surprising. Over time, these changes can significantly bolster an enterprise’s overall security posture, demonstrating that small habits can lead to substantial improvements in cybersecurity resilience.
Habit Stacking: Linking New With the Old
Clear's principle of habit stacking offers a novel approach to adopting new practices. When new cybersecurity habits are integrated with established routines, teams are more inclined to adopt and maintain them. For instance, encouraging employees to review and report any suspicious emails when checking inboxes every morning can become an inherent part of the routine, thereby gradually enhancing organizational security.
Shifting Focus: Embracing the Process
In the realm of cybersecurity, it is easy to become fixated on outcomes, such as the number of incidents prevented or the absence of breaches. However, a more effective approach involves focusing on the process rather than the outcome. This perspective requires a transition from a reactive stance, wherein the team is constantly responding to cybersecurity incidents, to a proactive stance, wherein the team is consistently working on maintaining and enhancing cybersecurity posture.5
This transition represents more than a shift in actions. It marks a profound transformation in the collective mindset. As a result, the team will start to perceive cybersecurity not as a finite goal, but as a continuous journey demanding persistent effort and vigilance.
The team will start to perceive cybersecurity not as a finite goal, but as a continuous journey demanding persistent effort and vigilance.
To support this shift, an organization should consider implementing regular training sessions to ensure that teams stay up-to-date regarding the latest threats and best practices. A proactive stance towards learning and development serves as a powerful catalyst in nurturing a culture of continuous improvement. The ripple effect of this transformation can be profound, leading to a significant enhancement in a team's approach to cybersecurity.
Incentivizing Cybersecurity: The Power of Attractiveness
One of the principles that stands out in Clear's work is the idea of making new habits attractive. This poses an interesting challenge in the context of cybersecurity, a field often perceived as complex and tedious. How can the adoption of cybersecurity habits be made more appealing?
One solution lies in the power of gamification whenever possible. By turning cybersecurity practices into engaging challenges or competitions, these habits become more attractive. This approach transforms cybersecurity from a dreaded obligation into an engaging activity that stimulates participation and learning.
Simplicity in Adoption: Facilitating Ease of Use
One of the fundamental principles in Clear's philosophy is the ease of habit adoption. In alignment with this principle, the focus should be on simplifying cybersecurity practices as much as possible. This may involve providing user-friendly tools, clear guidelines and straightforward procedures. For instance, the introduction of a password manager could significantly mitigate password-related issues. This simplicity not only facilitates the adoption of secure practices but also encourages employees to promptly report security incidents, thereby enhancing responsiveness to potential threats.
Reinforcement Through Satisfaction: The Power of Immediate Feedback
Clear underscores the importance of making habits satisfying to ensure their longevity. In line with this principle, prioritizing immediate feedback and reinforcement can be beneficial. Whether it is through verbal praise or more formal recognition, such as an employee-of-the-month distinction, gestures can play a pivotal role in motivating teams and affirming their efforts.
Continuous Improvement: The Importance of Regular Reviews
Another valuable lesson underscores the importance of regular reviews and adjustments. Despite the tendency for this lesson to be overlooked in daily practices due to workload, it is essential to integrate it into cybersecurity routines. Regular feedback sessions and data analysis facilitate the identification of strengths and weaknesses, paving the way for the refinement of strategies for enhanced effectiveness. This cycle of continuous evolution is a cornerstone in maintaining resilience amidst the dynamic landscape of cybersecurity.
Fostering a Supportive Environment: The Shift Toward Collective Responsibility
The final, and most crucial, principle involves the creation of a supportive environment. Cultivating an open and collaborative culture emphasizes that cybersecurity is a shared responsibility. This shift can be profound, replacing fear of blame with a sense of collective ownership and an understanding that everyone's input is valuable.
Conclusion
Incorporating Clear's principles into a cybersecurity culture represents a journey of transformation. Minor changes, when consistently applied, can create a culture that is aware, responsible, and equipped to handle cybersecurity events. If there is one insight to take away, it is that building a strong cybersecurity culture is not about rules and protocols—it is about habits. As Atomic Habits illustrates, habits start small but have the power to bring about meaningful change. As the landscape of cybersecurity continues to evolve, the power of habits and their potential impact on organizations remain constant. Considering how these principles can be applied within an organization is invaluable to strengthening cybersecurity resilience.
Disclaimer
The opinions, views and positions expressed in this article are solely those of the author and do not reflect the stance of the author's employer. The author's associated companies disclaim any responsibility for the accuracy, completeness or validity of the content and will not be held accountable for any related issues that might be found within.
Endnotes
1 Harrison, P.J.; “88% of Cloud Breaches Are Due to Human Error,” The Fintech Times, 2020
2 Carson, J.; Least Privilege Cybersecurity for Dummies, Wiley, USA, 2020
3 Clear, J.; Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones, Penguin, USA, 20183
4 Ibid.
5 National Institute of Standards and Technology, NIST Special Publication 800-39, Managing Information Security Risk Version 1.1 USA, 2011
Fouad Mulla, CISM, CISSP, CASP+
Is a cloud security architect, cybersecurity lead consultant and digital leader with more than 15 years of experience in the information and software industry. He has worked closely with global enterprises, playing a crucial role in ensuring their security and resilience. Mulla has guided numerous businesses in governing and protecting their critical information. His insights have empowered organizations to identify and understand cybersecurity risk, enabling strategic business decisions, especially pertaining to critical infrastructure projects. Additionally, Mulla served as a technical reviewer of the book Multi-Cloud Administration Guide and has been a speaker at several leading cybersecurity conferences.