Russell Eubanks in a SANS Institute video “Improve Your Cyber Security Culture” offers the following advice learned from one of his own mentors: “Get wisdom as cheaply as you can.” Eubanks, Principal Consultant and Co-Founder of information security consulting firm Cyverity and former Chief Information Security Officer and Chief Information Officer of the Federal Reserve Bank of Atlanta, discusses the value of learning from exercises, intelligence, and others. He notes that it is much “cheaper” to learn by conducting tabletop exercises and listening to the experiences and incidents of others than to wait for your own organization to learn from their own cyber incident.
Certainly, a data breach or other cyber incident at your organization is a very costly way to learn safer habits. Here are three immediate and ongoing ways to motivate security cultural change, without the same cost:
Conduct tabletop cyber incident response exercises
As Eubanks advocates, practicing cybersecurity incident scenarios, similar to practicing evacuation fire drills, give the cyber incident response team and organization a chance to establish and emphasize cybersecurity priorities while also reducing response confusion and identifying plan weaknesses. Tabletop exercises help show rather than tell why cybersecurity is a whole organization problem rather than just an “IT problem”. Tabletops can be a great way to show the need for effective incident planning.
Follow (and act upon) cybersecurity alerts and intelligence
The more you know about vulnerabilities relating to your systems and sector, the more you can prepare for the worst and educate your organization. Make sure your critical systems’ vendors have accurate contact information for your organization, for sending vulnerability and patch notifications. Make sure you have quick access to status pages for cloud providers, also. In addition, subscribe to available information sharing services.
Follow cybersecurity news
To relate cybersecurity best practices (and worst practices) to your organization, refer to other similar organizations in your industry and their hard-learned lessons. Sometimes, we need to hear a horror story or two to make the threats seem more real. Or it could be that news gives you specific data to support your mission. Sprinkling in well-placed cyber stories and statistics both engages your community and gives a note of reality and credibility to what you are trying to achieve. It is much cheaper to build a culture of security by learning from others, who have already paid a steeper price.
How can MOREnet help?
Tabletop Exercises and Incident Response Planning:
Reach out to security@more.net for assistance planning a cyber incident response tabletop exercise or to get started drafting a cyber incident response plan.
Cybersecurity Vulnerabilities and Alerts:
MOREnet cybersecurity analysts subscribe to state and local intelligence channels and also use network vulnerability identification software. MOREnet’s cybersecurity team reaches out to MOREnet members’ Security contacts to share relevant information. Sign into my.more.net to verify your organization’s Security contact.
Cybersecurity News:
Check out the weekly MOREnet Cybersecurity News email for curated alerts and news. MOREnet’s cybersecurity analysts read through a wealth of headlines and articles each week and share information relevant to members. Your Security contact receives this newsletter.
References
Eubanks, Russell. “Improve Your Cyber Security Culture“, YouTube, uploaded by SANSInstitute May 3, 2023.