This document discusses how to strengthen corporate culture for cybersecurity by shifting to a data-centric paradigm. It recommends focusing on protecting data rather than just the IT infrastructure. This includes defining crucial data, using encryption and data masking, and monitoring data movement with DLP solutions. It also suggests achieving culture change by getting users involved, making training engaging like a video game, learning from data breaches, and creating a framework focused on data security. The goal is to involve all employees to better understand vulnerabilities and strengthen security.

1. Cultivate a Stronger
Corporate Culture
to Enhance
Cybersecurity
The fast-changing threat landscape requires a data-centric paradigm shift
FridFriday, September 14, 2018
By David X Martin X Martin

2. Corporate cultures do not change quickly – they migrate. Most organizational development
experts offer the same recipe for culture change: (1) pick the right leadership, (2) recognize
and reward the behaviors you want to encourage, (3) communicate clear values, and (4)
provide extensive training.
But this recipe won't work for the ever-evolving, shape-shifting, constantly moving target
that is cybersecurity. Most employees aren't interested in their own digital security, much less
their company's. Therefore, changing a company's culture to strengthen security is especially
difficult – requiring a paradigm shift in order to keep pace with the threat landscape.
Most people think of security as the protection of a company's digital environment – a virtual
hardened shell, protected by security guarding the company's networks, servers, and
applications. The problem with this paradigm is that when you focus on the environment, the
security employed becomes an end in itself and is not directly related to the data it's trying to
protect.
Those who create and handle data are best placed to understand its value, David X Martin
says.
For example, suppose a company is trying to defend against data loss or the unauthorized use
of data. Isn't it far better, from a security perspective, if the data itself is not readily readable
– and can be tracked based on those with authorized access and the business context in which
it is being used?
Further, this approach still works through the multiple defensive layers that a company may
implement as part of a defense in depth strategy.
Data-Centric Security
When we shift our focus from the IT infrastructure to the data that needs to be protected, the
first step is defining “what is the crucial data?” Once that is defined, you can use new, proven
solutions to control how the data is handled and distributed.
Encryption, for example, can help ensure that data is secure whether at rest to in motion. But
it is not fail-safe, because once cyber criminals intrude into a network with stolen, valid user
credentials, encryption becomes useless.
Data masking, which is the process of hiding specific data, is another useful tool. Data
masking can be achieved a number of ways: by obscuring the data dynamically as users
perform requests; duplicating data to eliminate the subset of the data that needs to be hidden;
or just masking the data from users or third parties.

3. Another way to control data is through the use of Data Loss Prevention (DLP) solutions,
which can provide accurate information regarding the movement of sensitive data – and even
block the transfer or delete it when found on unauthorized endpoints. Continuous monitoring
of the data using DLP solutions can help identify breaches in a timely fashion and limit the
damage inflicted.
Achieving Culture Change
The paradigm shift – focusing on the security of the data employing data-centric security –
will change your corporate culture.
Get the users involved. Historically, anything to do with IT security was kept away from
users by IT teams. Little wonder that users show little or no interest in the company's
security.
In reality, users are the front line of data security. They create and handle the data and are
best placed to understand the value of the data. Case in point: Allianz Ireland forced its
users to select a data classification before a document could be shared or an email sent. The
company experienced a rapid culture change within just a few months, resulting in 60%
increase in employee awareness of data security practices and an 89% reduction of breaches.
Engage employees in training applications. Today's cyber risk training focuses on phishing
schemes – not protecting data. Most training programs are not engaging, interesting, or fun.
They try to teach with borderline yes/no questions, and usually 80% of them have “yes” for
an answer. No one fails as long as they answer all the questions. Borrrring!
Now suppose the cybersecurity training is a video game, and you're having fun role-playing a
bad guy who stole valid user credentials and now is trying to steal company data. You
receive points based on how far you succeed in stealing data.
The game is highly engaging, and at the end of the session you obtain a point score that, if
high enough, comes with a reward. Even better, the company now has valid data to determine
employees' cyber awareness – information which could be used to help purchase cyber
insurance.
Make diversity part of the security culture. Self-awareness and consciousness are the first
steps toward changing any undesired behavior or attitude. Employees' decision-making
related to security is influenced by their diversity, their background, openness to discussing
these issues, and attitude about community. But posters, screen savers, and even in-person
group reviews will barely influence your employees' ability to judge threats.
Suppose a data breach occurs, and it is used as a learning experience for everyone. Instead of
just creating a PowerPoint, why not have employees then try to write a phishing email for the
company? This approach takes into account the diversity of your employees and their
varying levels of understanding of the threat.

4. Further, because employees are on the front line and know the company's vulnerabilities, as
well as their own and their coworkers' vulnerabilities, you might learn of additional
vulnerabilities you had no idea existed.
Create a framework that focuses on what is the right thing for security. Looking at
security from the point of view of data, the security framework needs to address these
questions: What are the crown jewels of our digital assets? What people, processes, and
technology are employed to protect them? What would be the impact of a breach of this data
on the organization, and how would we respond?
Strengthening the corporate culture for cybersecurity is not just about developing an
approach that reaches the right people with the right message at the right time. It's about
focusing on the data – and involving all employees at all levels.
David X Martin (dxm@cybxsecure.com) is a former chief risk officer and was founding chair
of the Investment Company Institute's Risk Committee. He is an adjunct professor, author,
expert witness, and co-managing director of cybX. His previous contributions to GARP Risk
Intelligence include For Corporate Boards, a Cyber Security Top 10; and Risk Management
in the Cloud.