Answer this multiple-choice question: My organization’s cybersecurity culture is like a:
- Tornado
- Cactus
- Puppy
- Onion
Rob Honomichl, an assistant professor of Practice in Cyber Operations at The University of Arizona and a former instructor at Dakota State University, asked that question of attendees at the 2022 Sioux Falls Cybersecurity Conference.
Is it like a tornado, where a cyberattack may come out of nowhere even though some people shared the warning signs? Is it prickly like a cactus, effective at keeping hackers away? Or is it more like an onion with many layers — and potentially bringing the IT team to tears?
Honomichl said he likes the analogy of a puppy — “Everyone thinks it is important and really wants it, but no one wants the responsibility and cost that comes with the messes," he said.
While Honomichl’s response elicited a laugh from attendees, it also illustrated the different types of cybersecurity culture and the challenges in changing it.
In his career, where he has been both an instructor and managed IT, Honomichl has learned that telling stories helps build and change culture. Governance, policy and educational training/awareness are the keys that influence culture, he said. When governance is missing, the principles of an organization don’t buy into a cybersecurity policy and nothing changes. Without effective policies, culture can’t change, he said. And the most important part of all, he said, is education and training.
“It’s OK to make a mistake and share it,” he said. “I tell people to be vulnerable and share when you messed up. Even the best of the best can make a mistake. Admit to others and try not to treat it like a punishment.”
But — punishment is one of the biggest obstacles to change. If someone makes a mistake, there may be punishments or shame involved. Many policies are created with punishment in mind.
“Tests are good, but how we handle mistakes isn’t always good. Education is an opportunity — don’t punish for the mistake as we all make mistakes. The negative experience can make someone not care,” Honomichl said.
Education goes beyond the workplace, too, he said. In telling stories and educating about why cybersecurity is important, it helps create ownership within the organization.
“I’ve found, over time, if you talk to people and include protecting their family and friends and information at home, they better see their role and responsibility,” he said. “If it’s just a work thing, you’re not making it fun or relevant.”
Honomichl would love to see cybersecurity become the new “watercooler” conversation topic at the office. In lieu of that, he suggests sharing little tidbits when it makes sense — like sharing a quick fact or story at the end of a Zoom call, for example. Are there notes or signs that can be put up in conspicuous areas that help with education? If there’s a cybersecurity story in the news, share it, he said.
“I always go back to the person. You can have the best technology in the world, but it’s easy to click on something and get exposed,” he said. “Then it doesn’t matter if you’ve spent billions on your tech; it’s all garbage.”
The annual Sioux Falls Cybersecurity Conference is hosted by the Greater Sioux Falls Chamber of Commerce in partnership with the Better Business Bureau of South Dakota.
Anyone interested in learning more about keeping their businesses safe from cyber threats can attend the Better Business Bureau's next free Cybersecurity Event from 8 to 10 a.m. on Wednesday, April 26, on the Black Hills State University Campus. The building is at 4300 Cheyenne Boulevard in Box Elder just east of Rapid City. Reservations are required.
