It has become increasingly clear that the technology, 系统, policies and protocols cybersecurity professionals employ are only as strong as the habits of the people who use them. 在数字时代, cybersecurity is paramount for every organization, yet building a strong cybersecurity culture remains a challenge. This challenge is not only about mastering the latest technologies or implementing the most robust protocols. 它还涉及影响人类行为, mastering change management and fostering the right habits.
A significant part of this challenge lies in the human factor. As many as 88% of cloud breaches are due to human error.1 This includes misconfigurations, failure to implement the principle of least privilege2 以及被忽视的软件更新. 这些漏洞, often overlooked in the face of complex technical solutions, present a significant risk to the security posture of an organization.
从习惯评估开始
A solution to this conundrum emerged from an unlikely source: 原子的习惯3 by James Clear, a widely popular book published in 2018.
Clear的原则和理念, advocating for small yet consistent changes, should resonate deeply with cyberprofessionals. 这些原则, while not originally intended for use in the cybersecurity realm, can be creatively applied to construct a robust framework for a resilient cybersecurity culture. Clear's principles can be adapted to the cultivation of cybersecurity habits.
Laying the Foundation: Micro-Changes As a First Step
The initial principle drawn from Clear's book is the concept of starting small.4 Given the myriad complexities and technicalities of cybersecurity, it can often be an intimidating subject for many employees. 而不是实现扫描, large-scale changes that could potentially lead to confusion or resistance, teams should be steered toward adopting simple, 可管理的网络安全实践.
而不是实现扫描, large-scale changes that could potentially lead to confusion or resistance, teams should be steered toward adopting simple, 可管理的网络安全实践.
The journey can begin with the fundamentals, for example, the management of cloud access rights. This involves regularly reviewing who has access to what information or resources and why, revoking access rights when an employee changes roles or leaves the organization, and implementing the principle of least privilege, wherein users are given the minimum levels of access necessary to perform their jobs. 这些细微的变化, 当持续应用时, can become the building blocks of an enterprise’s cybersecurity framework.
The cumulative effect of such microchanges can be surprising. 随着时间的推移, these changes can significantly bolster an enterprise’s overall security posture, demonstrating that small habits can lead to substantial improvements in cybersecurity resilience.
习惯堆积:新旧联系
Clear's principle of habit stacking offers a novel approach to adopting new practices. When new cybersecurity habits are integrated with established routines, teams are more inclined to adopt and maintain them. 例如, encouraging employees to review and report any suspicious emails when checking inboxes every morning can become an inherent part of the routine, thereby gradually enhancing organizational security.
转移焦点:澳门赌场官方下载过程
在网络安全领域, 人们很容易执着于结果, such as the number of incidents prevented or the absence of breaches. However, a more effective approach involves focusing on the process rather than the outcome. This perspective requires a transition from a reactive stance, wherein the team is constantly responding to cybersecurity incidents, 积极主动的态度, wherein the team is consistently working on maintaining and enhancing cybersecurity posture.5
This transition represents more than a shift in actions. It marks a profound transformation in the collective mindset. 结果是, the team will start to perceive cybersecurity not as a finite goal, but as a continuous journey demanding persistent effort and vigilance.
The team will start to perceive cybersecurity not as a finite goal, but as a continuous journey demanding persistent effort and vigilance.
为了支持这种转变, an organization should consider implementing regular training sessions to ensure that teams stay up-to-date regarding the latest threats and best practices. A proactive stance towards learning and development serves as a powerful catalyst in nurturing a culture of continuous improvement. The ripple effect of this transformation can be profound, leading to a significant enhancement in a team's approach to cybersecurity.
Incentivizing 网络安全: The Power of Attractiveness
One of the principles that stands out in Clear's work is the idea of making new habits attractive. This poses an interesting challenge in the context of cybersecurity, a field often perceived as complex and tedious. How can the adoption of cybersecurity habits be made more appealing?
One solution lies in the power of gamification whenever possible. By turning cybersecurity practices into engaging challenges or competitions, 这些习惯变得更有吸引力. This approach transforms cybersecurity from a dreaded obligation into an engaging activity that stimulates participation and learning.
Simplicity in Adoption: Facilitating Ease of Use
One of the fundamental principles in Clear's philosophy is the ease of habit adoption. 与这个原则一致, the focus should be on simplifying cybersecurity practices as much as possible. This may involve providing user-friendly tools, clear guidelines and straightforward procedures. 例如, the introduction of a password manager could significantly mitigate password-related issues. This simplicity not only facilitates the adoption of secure practices but also encourages employees to promptly report security incidents, thereby enhancing responsiveness to potential threats.
Reinforcement Through Satisfaction: The Power of Immediate Feedback
Clear underscores the importance of making habits satisfying to ensure their longevity. In line with this principle, prioritizing immediate feedback and reinforcement can be beneficial. Whether it is through verbal praise or more formal recognition, such as an employee-of-the-month distinction, gestures can play a pivotal role in motivating teams and affirming their efforts.
Continuous Improvement: The Importance of Regular Reviews
Another valuable lesson underscores the importance of regular reviews and adjustments. Despite the tendency for this lesson to be overlooked in daily practices due to workload, it is essential to integrate it into cybersecurity routines. Regular feedback sessions and data analysis facilitate the identification of strengths and weaknesses, paving the way for the refinement of strategies for enhanced effectiveness. This cycle of continuous evolution is a cornerstone in maintaining resilience amidst the dynamic landscape of cybersecurity.
Fostering a Supportive Environment: The Shift Toward Collective Responsibility
The final, and most crucial, principle involves the creation of a supportive environment. Cultivating an open and collaborative culture emphasizes that cybersecurity is a shared responsibility. 这种转变可能是深远的, replacing fear of blame with a sense of collective ownership and an understanding that everyone's input is valuable.
结论
Incorporating Clear's principles into a cybersecurity culture represents a journey of transformation. 微小的变化, 当持续应用时, 能否创造一种自觉的文化, 负责任的, and equipped to handle cybersecurity events. 如果有什么值得借鉴的, it is that building a strong cybersecurity culture is not about rules and protocols—it is about habits. As 原子的习惯 illustrates, habits start small but have the power to bring about meaningful change. As the landscape of cybersecurity continues to evolve, the power of habits and their potential impact on organizations remain constant. Considering how these principles can be applied within an organization is invaluable to strengthening cybersecurity resilience.
免责声明
的观点, views and positions expressed in this article are solely those of the author and do not reflect the stance of the author's employer. The author's associated companies disclaim any responsibility for the accuracy, completeness or validity of the content and will not be held accountable for any related issues that might be found within.
尾注
1 哈里森,P.J.; “88% of Cloud Breaches Are Due to Human Error,” 金融科技时报, 2020
2 卡森,J.; 傻瓜的最低特权网络安全,威利,美国,2020
3 清楚,我.; 原子习惯:简单 & 养成好习惯的有效方法 & 绝命毒师,美国企鹅出版社,20183
4 同前.
5 National Institute of Standards and Technology, NIST Special Publication 800-39, Managing Information Security Risk Version 1.1 美国,2011年
Fouad毛拉, CISM, CISSP, CASP+
是云安全架构师吗, cybersecurity lead consultant and digital leader with more than 15 years of experience in the information and software industry. He has worked closely with global enterprises, playing a crucial role in ensuring their security and resilience. Mulla has guided numerous businesses in governing and protecting their critical information. His insights have empowered organizations to identify and understand cybersecurity risk, 支持战略业务决策, especially pertaining to critical infrastructure projects. Additionally, Mulla served as a technical reviewer of the book 多云管理指南 and has been a speaker at several leading cybersecurity conferences.