Human factors and cybersecurity go hand-in-hand. First, to be cyber-secure, the elements of security technology must be addressed. While you're executing this monumental task, remember that human factors ought to be a fundamental consideration when creating your security protocols. How humans are approached when implementing security compliance will ultimately determine the level of security within a given organization.

The human is the weakest link in the cybersecurity chain; make them part of the solution, not the problem.

In my experience, this is the most powerful sentence to consider when thinking about the overall cybersecurity of an organization. I repeat, the human is always the weakest link in the security chain; and that's true on both sides of security. Security is built to protect humans, but it's built by humans and the bad actors attempting to break down security are human too. Humans are the common thread, always the centerpiece of both the security problem and the solution.

Given that there are humans involved in every step of the way, an organization can decide to take the view that humans are the problem and govern from that perspective. Alternatively, they can flip their vantage point and take the position that humans are the solution.

With that in mind, they can implement proper cyber hygiene in the organization, while simultaneously unifying their team, as humans take center-stage as the solution. Needless to say, the latter is a much more compelling and effective way to tackle your greatest security challenges.

Making humans the linchpin of your organization's security solutions empowers your employees. It also helps to lay the groundwork for a loyal and cohesive workforce, bound together and working in concert, ensuring your company is secure from the inside out.

Following this philosophy, you'll be much more likely to create an environment with proper cyber hygiene, which is crucial in today's ever-more-dangerous world. Cyber hygiene is pivotal in curtailing both malicious insider threats from disgruntled or opportunistic employees, and non-malicious insider threats from oblivious or negligent employees.

Organizational culture is the tie that binds people together, and that inevitably determines the efficacy of entire organizations. It's important to step back and review how the culture around cybersecurity has evolved substantially in recent times, and how it's become an entirely different process over the years.

Compliance culture versus security culture

Compliance culture was the norm for many years, adopted across countless organizations to promote cyber safety. That world is now long gone. Security culture is now the standard model that many organizations have embraced as a practical necessity for proper organizational cyber hygiene.

Compliance culture – top-down mandate

It's not rocket science: Compliance culture was exactly like it sounds. Be compliant!

If you take a peek at the definition in the Merriam-Webster Dictionary, you'll see that compliance is "the act or process of complying with a desire, demand proposal, or regimen."

Accordingly, you can probably already guess how an organization's compliance culture played out nearly everywhere. The rule set was established by the top of the organization, with the goal of complying with the relevant legislation at minimal cost, and implemented all the way down through every level of an organization. This was a one-size-fits-all model that harkened back to the command-and-control style of management that was prevalent in the 20th century.

Rules were made at the top and no-one else had any input whatsoever. This top-down rulemaking would percolate through all facets of the organization with little to no feedback from its employees. This was an iron fist model of "you do as the checklist says or else." Deviating from established processes, or going beyond the regulatory requirements, was frowned upon if not outright forbidden. Being a good "citizen" of a compliance culture meant not rocking the boat and staying in your lane.

Security culture – a secure environment

The security model approach is different in almost every way. The perception of security shifts and becomes geared toward a collective approach, with the goal of ensuring that the company remains secure. There's an understanding that legislation is just a starting point and the cost of an insecure system is far greater than the cost of good security. This philosophical foundation makes it widely understood that security is everyone's responsibility, and teamwork is an essential part of that process.

This seismic shift doesn't mean that compliance and jobs specifically focused on cybersecurity are replaced. Instead, their roles become better integrated with the rest of the organization. Seamless dialogue and collaboration are relentlessly encouraged to help bolster security measures. While protocol remains in place, it's tailored appropriately to the employees as humans who share collective responsibility for cybersecurity. Job descriptions don't absolve anyone of their individual responsibility to contribute to cybersecurity organization-wide.

Now that we've learned about how leveraging the human aspects of security is critical to ensuring success, and how security culture is the new norm, let's move on to the four steps I consider essential for instituting proper cyber hygiene.

Continuous training is the first building block in this process, as it gives new security measures a better chance of being embraced by your employees.