How a CFR Team Contributes to a Culture of Security
April 5, 2016 by Bill Rosenthal

If you're responsible for the success of a business, you need to take two broad approaches to protecting your information assets: 1) train all your employees to recognize and resist intrusion attempts and 2) train a cadre of specialists to monitor your network as a whole and respond to threats.

I have often written in this blog about the advantages of 2), here most recently. To briefly reiterate, a team with, say, the Logical Operations CyberSec First Responder certification can

  • analyze threats
  • design secure computing and network environments
  • proactively defend your network
  • respond to/investigate cybersecurity incidents to minimize losses to your organization 

A well-trained CyberSec First Responder (CFR) team can also reduce “dwell time” of criminals who manage to invade your network, thus greatly reducing the losses resulting from intrusions. Given that the average time it takes a business to detect an intrusion is 205 days, this in itself is a competitive advantage.

But there’s another reason for designating, training, and supporting a CFR team: it signals to your organization that you take security seriously. And signaling your organization that you take security seriously is a fundamental element to creating a culture of security.

How important is a culture of security? It’s at least as important as security technology, and maybe even more so. Think of your employees as your first firewall. They stand between your organization’s information assets and the thieves who want to plunder them. Intrusions that are based entirely on technology are rare. Most intrusions result from fraud that takes advantage of employee carelessness, lack of judgment, or even criminal intent. A culture of security is a constant reinforcement for your employees in protecting the organization. It supports them in their protective behavior and discourages inclinations toward treachery.

Imagine a neighborhood without police. It quickly becomes unsafe, not entirely because there’s no one there to prevent crime, but because the lack of police means a lack of sanctions against disorder. People are ordinarily well-behaved and law-abiding, but when you remove restraints on criminal behavior, the few with criminal impulses take advantage and many people then follow suit, often in self-defense. 

The Wikipedia entry on Broken Windows Theory suggests there are at least three factors in a community that help to ensure law and order:

  • social norms and conformity
  • routine monitoring
  • social signaling 

You don’t have to be a criminologist to know a culture of security will go a long way toward reinforcing those three factors in the community of your organization. 

My advice is that you designate, train, and support a CFR team and promote their visibility within the organization. You may even want to consider ways to enhance the team’s prestige: stage a competition among candidates to join it, regularly report on it in the company newsletter, have its members visit and give presentations to other departments on security. Promoting the importance of the CFR team this way can contribute both to social norms and conformity as well as the reassurance that contributes to safety by letting people get on with their work. Finally, the CFR team itself will provide the routine monitoring that helps to keep your network safe.

It’s not all about technology and law enforcement. You need to find as many ways as possible to support your employees’ adherence to security policies, exercise of good judgment, and recognition of fraud. The presence of a certified CFR team can only help.