Each year, the number of data breach victims is bigger than the last. This means that every year will be the worst year for data breaches. Despite all the attention on cybersecurity, we don’t seem to be doing very well at making the situation better.
Is there anything that we can do to make 2018, or 2019, or 2020 the year we finally start to reduce cybercrime? In his book The Purpose Driven Life, pastor Rick Warren writes, “The truth is, almost everything we do is done poorly when we start doing it -- that’s how we learn.”
We are learning. But it seems like we’re learning slowly. It seems like some people are getting the message and others aren’t.
I’ve talked before about using incentives to help change behaviors in cybersecurity, and I still hope that more companies will find ways to incentivize security. But as we have the conversation about incentives, we have to also understand that incentives will only go so far in improving cybersecurity.
Incentives will change some behaviors, but they won’t create a culture of security by themselves. What we need to do, similar to what Pastor Warren describes in his book, is to go beyond incentives to create purpose-driven security.
In 1954, Abraham Maslow wrote Motivation and Personality, in which he detailed his Hierarchy of Needs theory that changed the way that people look at human motivation. Most people are familiar with the physiological foundation of the hierarchy, but what some forget is that the second tier in Maslow’s pyramid is safety (security, protection, etc.).
Safety is the foundation on which we build our civilization. Unlike the first tier of Maslow’s pyramid, which can be achieved on a personal level, safety is a collective process. You may be the biggest and strongest caveman in the world, but if you are alone, there is a chance that you’ll get eaten by a tiger in your sleep or robbed by another caveman when you’re not at home.
Because it isn’t something that can be assured by someone on their own, safety requires a community. And because it’s a foundational need for human civilization, people have evolved to have an instinctive need to want to play a role in helping create safety and security.
We’ve adopted an unofficial motto in cybersecurity: “People are the weakest link.” We’ve adopted this motto because it’s true -- you can trace every hack back to human error. A human didn’t configure their website correctly, fell for a social engineering scam and gave away their password, or didn’t build secure code into their software. People are the problem, but they are also the solution.
Rather than seeing the people in our organizations or communities as the weakest links, we should deputize them. Everyone has a role to play. Security is everyone’s job.
Without security, you can’t move from meeting basic needs to functioning as a society. This is why security is everyone’s job. Just like our physiological needs, security is a building block to our own personal self-actualization. And this is why we need to let everyone have a chance to play a role in protecting that. We all have a stake in the results.
I recently spent a weekend installing childproof locks on all the doors on our house. Since the day she learned to walk, my toddler has a knack for getting into things that she shouldn't. Curiosity runs in the family. A few weeks later, I watched her go to all the doors in the house and close them one by one. She would then point up at the lock and ask me to lock them for her.
Deputizing people in our organizations or communities means both giving them something to do and giving them the authority to do it. The amazing thing is that this can be incredibly empowering for the deputy. It means they’re important, valuable, and it strengthens the whole community as this empowerment spreads to more and more people.
What does deputizing people for cybersecurity look like? I think giving people purpose requires more than just putting up posters with “See something, say something” written on them:
- Ask for help. Provide a channel for people to report potential security issues. This could include suspicious emails or activity. It could also mean offering suggestions to help improve their business practices, like sending sensitive information via email.
- Create an internal security advisory council and make that team a real part of your security governance. Let the members of that team help create organization-wide security risk registers, and let them help prioritize risks to manage.
- Create a cybersecurity newsletter to share real stories about how cybercriminals have affected the business. Putting a face to the people you’re helping creates a human connection to security.
- Regularly conduct breach drills to help make employees more aware of what your procedures are. Assign departmental captains just like in a fire drill to help organize and report on progress.
- Create an awards program for employees (not just in IT) that recognizes employees for their contributions in protecting cybersecurity.
- Recognize vigilance. Give credit to people for being a part of reporting or helping respond to an incident. Have a shout-out email list, or a newsletter with their pictures.
Incentivizing good behavior is important, but creating a culture that moves beyond incentives and gives employees purpose is what will make the biggest difference in your cybersecurity program.
