On Thursday 11th May 2023, the North West Cyber Security Cluster hosted "How to Build a Cyber Security Culture" at Manchester Technology Centre, bringing together industry experts, cyber security professionals and enthusiasts to explore the importance of cultivating a strong cyber security culture within organisations.
The informative event provided actionable insights and strategies for creating a security-conscious environment that safeguards digital assets and protects against cyber threats, as attendees heard from experts from leading companies who have demonstrated success in creating and maintaining effective security cultures.
Following an introduction from Paul Boardman, Strategic Growth & Collaboration Lead at North West Cyber Security Cluster, guests enjoyed a presentation from Amy Hanson, Security and IT Operations Lead at Naimuri, a tech company whose goal it is to make the UK a safer place.
Amy shared with attendees how she had developed a passion for cyber security and a desire to keep her peers safe whilst observing the poor use of technology by some of those around her in her earlier career and personal life.
Amy explained some of the ways that Naimuri promote security across their organisation by putting it at the heart of everything they do, encouraging knowledge sharing and working as a team. Some of the key ways that Amy says the she promotes security include:
- Compliance with Cyber Essentials and ISO27001.
- Educate users about the risks inside and outside of the workplace.
- Use of our internal security forum.
- Keeping myself informed.
Next up, Dr Aparajithan (Siva) Sivanathan, Head of Digital Technology at Advanced Manufacturing Research Centre North West shared with attendees why cyber security is important to the manufacturing industry.
Manufacturing is a traditional industry that is seeing a rapid digital rollout, and with a lack of cyber security skills incidents are rife - 42%of the UK’s manufacturing organisations have been a victim over the last 12 months.
Siva also touched on the conflict between Information Technology and Operational Technology, as they have different value systems and priorities. Siva suggested the solution to this is to mix together people from both sides to create joint teams.
To conclude the event, Paul Boardman chaired a panel alongside Harman Singh (Founder, Cyphere), Raj Kundalia (Consultant and Owner, Cybione) and Oliver Johnson (National Security and Intelligence Account Director, CACI).
Some of the key points raised included:
- Raj: “The first step to building a cyber security culture is to look at what is currently in place, and begin by speaking to employees and directors. Every company is unique, and you need to understand what culture is currently in place to be able to focus on embedding a new cyber security culture.”
- Oliver: “Good cyber security culture is flexible and adaptable. You need to have good policy, procedure and the support of the whole organisation from senior management down to the work experience. If any of these pillars are missing, then that should be your focus.”
- Harman: Sometimes directors don’t care about cyber security, sometimes consultants don’t care. Security must be an enabler, and your cyber security culture is inherited from the organisational culture.”
- Raj: “When it comes to board level buy-in, you need to establish what is their definition of cyber security? Everybody will come up with a different answer. I often show directors the dark side of the web, and use this exercise to educate and scare them. They need to understand the impacts of a poor cyber security culture and why they need cyber security. Cyber security training can be a tick box exercise and we need to move away from this mindset.”
- Oliver: “To try and avoid training becoming a tick box exercise we get our security controller to sit down with new starters and talk through the training using real life examples. This helps to provide context around why they need to do what we’re asking.”
- Harman: “People, processes and tech need to work together in tandem. One layer won’t save you, all three things need to work together. Don’t blame somebody if they have clicked it, make them learn from their mistakes.”
- Oliver: “It’s very important to have a no blame culture. If anybody has a breach in their security processes, they need to know they can come to us and say there has been a breach. That is absolutely fine and they won’t get in trouble. Organisations must treat it as a learning experience.”
- Raj: “Think about explaining cyber security to an 8 year old and find the “why” - find their language and communicate in it.”
Thanks once more to everybody who joined us for this event, along with our panellists and speakers. A strong security culture is not a luxury, but a necessity that could mean the difference between success and failure in the face of cyber attacks and we hope this event provided valuable insights into how to build a cyber security culture in your own organisation.
Click here to find out more about the North West Cyber Security Cluster.