Constant adaptation is key in cyber security. Amid technical intricacies and evolving threats, two often overlooked factors are as crucial: culture and creativity.
Trey Mujakporue, a seasoned Cyber Security Manager with over two decades of global experience, sheds light on why culture is so important, the intricate relationship with developers, and how to use stories to build better defences.
Watch his recent conversation with Dan Haagman, CEO of Chaleit, and check out a written summary below.
Staying in line in cyber security does not pay dividends. The people that you are defending against always think outside the box.
Culture clash in cyber security
Culture and creativity are essential. Cyber security is a discipline in which thinking outside the box helps you do your job and brings rewards.
However, if you live in an authoritarian society, you tend to always do as you are told. So, there can be a clash between a rigid upbringing and the demand for the kind of innovative thinking cyber security demands.
Staying in line in cyber security does not pay dividends. The people that you are defending against always think outside the box. They are looking to chain one exploit to another and take advantage of loopholes.
In cyber security, we are in many ways like the police—always on the back foot. How do you meet fire with fire? A cultural shift might be needed in certain environments to nurture excellent cyber security professionals.
When you can make the impact of failures in your business personal to the individuals you're training, they are more likely to pay attention.
Personalising cyber security awareness
The challenge of instilling awareness in end-users does not have a definite solution. However, personalisation is a good start.
When people don’t know what can happen in a situation or when they’re not personally affected, they are blasé about it. Let’s take the analogy of playing with fire or an electrical socket. When you stick a finger in an electrical socket, you get shocked. Similarly, when you play with fire, you get burned. You’re unlikely to do any of those things again.
In cyber security, we train users to be vigilant, but threats tend not to have a material impact on them. They click on a link, and what happens? They get phished, and the company loses a ton of money. But it’s not the users’ money. However, anybody who’s been a personal victim of phishing is not going to click on suspicious links anymore.
When you can make the impact of failures in your business personal to the individuals you’re training, they are more likely to pay attention.
Use stories—people love them. Connect cyber digital protection to personal experiences to foster a deeper understanding and make individuals more vigilant and proactive.
Also, be aware of phishing fatigue. The objective of the industry today is to push products. To do that, you must make phishing tests more realistic and frequent. But that, in turn, can lead to fatigue. So what do you do?
One solution is to tailor testing for specific roles within the organisation. Recognising the unique risks each department faces allows for more effective, focused training campaigns.
However, personalisation is not a panacea. You must combine it with a variety of other bits and pieces to be effective. And like anything else, what’s right for one organisation may not be right for another, so understanding the culture is key.
Developer dynamics: balancing speed and security
The culture of an organisation dictates how developers behave.
Let’s juxtapose two imaginary organisations. Think of a draconian one where everybody follows established processes and doesn’t deviate from norms. And another one, where people are given the freedom to experiment and test. Both organisations are building a product and want to get it to market. Which of the two will scale and work faster?
That same organisation will create a lot of tech debt because of moving and experimenting quickly, which is needed to achieve the goal.
The challenge arises when the time comes to address this tech debt without hindering developers’ innovative spirit. Fighting the developers will never work. A shift towards flexibility and taking risk into account is more effective than imposing restrictive measures.
Not having a centralised system is a bad idea. You lose the historical information associated with the original decision.
What happens when there’s no follow-up or centralisation of decision-making? The information ends up sitting on someone’s email or hard drive and can easily get lost.
Not having a centralised system is a bad idea. You lose the historical information associated with the original decision. The system does not have to be complicated. But you need rules and policies to ensure visibility and long-term effectiveness.
As organisations strive to fortify their defences, a holistic approach to cyber security that considers cultural nuances, personalised training, and developer dynamics is key to success.
Stay tuned for part two, where Trey Mujakporue continues to unravel the layers of cyber security, with a focus on the challenges and opportunities of the compliance process.