Creating a ‘culture of cybersecurity’ means making cybersecurity just as much a part of life in your company as regulating the air-conditioning or refilling the coffee machine – something that hardly even needs conscious thought. It also means that everyone feels responsible for keeping your company and its data secure and accountable for any failure to do so.

But how do you unify your people around your cybersecurity strategy? Essentially, it is a question of awareness. In this article I reinforce the importance of accountability, agreements and policies to help you build your culture of cybersecurity.

Understand the challenge of the CISO

Always keep in mind that cybersecurity is a balancing act between freedom and security. Whatever you gain in security, you lose in freedom, in privacy. Someone will know what you are doing. You will no longer be free to do whatever you want.

If you have ever wondered why CISOs (Chief Information Security Officers) don’t usually last long (their average ‘lifetime’ in a company is two years), it is because, being responsible for cybersecurity, they are stuck between a rock and a hard place. Their job, by definition, makes them ‘the enemy of the people’. They have to create and enforce policies and, most of the time, they don’t have sufficient budgets to train people, manage change or even tell people why their freedom is being restricted. This means that, not only are they generally regarded as a nuisance (or an unnecessary expense), but their underfunded and underappreciated efforts often leave holes that criminals can exploit. So one of three things usually happens: they leave, they burn out, or there is a cyber-security incident.

It is essential that leaders help the wider organisation to understand the role and importance of CISOs and how adhering to cybersecurity policies will keep them, and the company, safe. This will help breed a culture of unity.

Build accountability

All your employees must understand the seriousness of cybersecurity. As a friend of mine, who happens to be the CEO of a large accounting firm, put it: cybersecurity is a team sport; the whole team has to be responsible for whether we win or lose.

As in any sport, rules must be set and understood. As Simon Sinek puts it in his well-known book of the same title, this is an ‘infinite game’, in which there are no winners or losers, but you are playing against yourself in a bid to get better and better, day after day.

Of course, in this game, everyone has a lot to lose. Customers’ data can be compromised, the company can be sued, intellectual property can be stolen... There is a lot at stake, so it needs to be taken seriously.

No one in your company must be left out of cybersecurity. If a person does not comply, they become your weakest link. In one company I worked for, we used to change the background images on all the computers that were left unlocked at the end of the day or for any prolonged period during it. It was a childish prank, but it sent out an important message: if you leave your device unlocked and without surveillance, anyone can do things on your behalf. People soon locked their computers whenever they were away from their desks.

Having a culture of cybersecurity will ensure that your receptionist will ask the right questions and log the appropriate information before letting anyone into the building, that your office staff will think twice before clicking on any link within an email, and that your assistant will check and double-check – and obtain the necessary authority – before transferring any funds during a merger or acquisition.

If something unusual happens or there is an unexpected error, the alarm must be raised automatically and immediately, just as it would be if a fire broke out.

Consider this example: a company president calls me one morning and says, ‘René-Sylvain, something’s wrong. I’ve just had to reauthenticate my OneDrive five times.’ After checking that nothing is wrong with his device, I start looking into his credentials. A bit of digging in the sign-in logs of the Entra ID soon reveals that he has been the victim of a password spray attack.

This is the type of reflex your team and your operations must develop, as opposed to thinking nothing of having to enter their password ten times or being asked to change it because ‘it isn’t secure’. It will take time, but it is worth the effort.

Clear agreements and policies

To make sure that everyone is taking responsibility for their actions, it is helpful to draw up agreements and implement policies. Having to sign something that says you are aware of your cybersecurity responsibilities makes it real. Policies will also create boundaries so that your employees know what is the sandbox in which they are allowed (or not allowed) to play.

Here are some policies that you may want to define:

• Terms of engagement (how will technology be used at your company)
• Digital hygiene (how to clean your online data)
• Netiquette (proper use, language and behaviour online)
• Privacy and confidentiality
• Customers’ data
• Corporate intellectual property

These documents, once signed and accepted by everyone in your community, will provide a framework within which they work and, in the event of a cyber-incident, will prevent cybercriminals from publishing information about employees who are using their corporate emails and computers for personal and potentially reputation-damaging purposes. Standard agreements and policies should be part of your employee onboarding process so that they know from the word go that they are responsible and accountable for their actions with regards to cybersecurity.

Having such policies and agreements will also help you to comply with laws and regulations that you are required to abide by, since you will already be doing most of what you need to do, such as:

• Documenting your processes
• Creating an enclave for your compliance data
• Tagging your compliance-related data
• Maintaining a registry
• Establishing controls

Once you have established your strategy and procedures, integrating certification and compliance is simply about adapting the terms and conditions you are already using.

Conclusion

To be able to unify your people around your cybersecurity strategy you need to ensure that everyone understands the role of the CISO and that they are there to protect the company. Organisation-wide accountability also needed to be in place alongside clear policies and procedures. This will create a solid foundation for your people to act responsibly and securely.

For more startup news, check out the other articles on the website, and subscribe to the magazine for free. Listen to The Cereal Entrepreneur podcast for more interviews with entrepreneurs and big-hitters in the startup ecosystem.