The cumulative effect of the massive wave of attacks will lead to significant improvements to cybersecurity culture in 2022, predicts Dr. Keri Pearlson, executive director of the Cybersecurity at MIT Sloan, an interdisciplinary consortium for improving critical infrastructure cybersecurity at the MIT Sloan School of Management.
Speaking at an online Predict 2022 event hosted by Techstrong Group, Dr. Pearlson said more organizations in 2022 will align their values, attitudes, and beliefs with the cybersecurity policies they create. Business leaders will, for example, make cybersecurity a regular meeting topic as organizations look to encourage all employees to consider cybersecurity to be a part of their job rather than a task solely performed by someone else on their behalf, she says.
The Cybersecurity at MIT Sloan consortium has developed a maturity model that describes four multidimensional levels of cybersecurity awareness within organizations. At the highest level, everyone realizes cybersecurity is part of their job. At the lowest level, employees are simply aware that some of the tools they employ have embedded cybersecurity capabilities.
Aligning behavior to security policies involves everything from training employees to recognize phishing attacks to giving them rewards for consistently adhering to best security practices, said Dr. Pearlson. Ultimately, it’s a campaign to change the hearts and minds of employees, she added.
The need to achieve that goal has become a bigger imperative in 2022 because cybercriminals are launching more sophisticated attacks. In fact, Dr. Pearlson noted that the average organization automatically thwarts about 200,000 security events a day. It’s not that cybersecurity professionals have been doing a bad job; it’s just that cybercriminals are raising their game in a way that requires organizations to likewise respond, she said.
How to maintain a cybersecurity culture
Obviously, it’s not easy to build and maintain a cybersecurity culture within an organization. Fatigue is inevitably going to be a factor as employee morale waxes and wanes. Cybersecurity professionals need to find ways to continuously engage employees in a positive manner. Carrots are usually a lot more effective over the long term than a proverbial stick. Of course, the more automated cybersecurity becomes, the less dependent organizations are on employees doing the right thing each and every day.
The most important thing is the tenor of the relationship between employees and cybersecurity teams needs to change in many organizations. Cyberattacks such as ransomware are an existential threat to the organization. If the organization can’t operate, it will not be able to generate the revenues required to meet payroll obligations. There will, as a result, be fewer raises and in some cases staff reductions.
Employees that appreciate the adverse impact a cybersecurity event can have on an organization are much more likely to be conscientious about defending their livelihoods if not for themselves then for their colleagues. There may be factions within organizations, but, in general, there is usually at least some innate sense of the need to protect the entity that feeds the tribe.
Savvy cybersecurity professionals will find a way to tap into those natural instincts. After all, no matter how divisive any family might be, they will usually rally to protect it from any and all external threats.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.