According to Junglemap user data, managers often outperform their employees in completing their cybersecurity awareness courses. Of course, this is a good sign of managers taking their own digital and cybersecurity behaviors seriously.
But when employees take a survey after the completion of their latest cybersecurity Junglemap-courses, there’s usually a quite low percentage saying that their managers pay enough attention to cybersecurity.
Our simple conclusion is this: managers in general are increasingly aware of the importance of cybersecurity, but they fall short in acting as leaders in creating a resilient cybersecurity culture.
Being a manager means that you have many tasks on your desk. Playing a key role in your organizations’ cybersecurity culture being just one of them. In the post-pandemic worklife, working remotely also adds its own security challenges, and responsible managers must take these seriously. For many, this might seem like a challenging task, given that most managers don’t have specific IT- or cybersecurity skills.
But this is where many organizations go wrong and make the mistake of viewing cybersecurity as an ‘IT-issue’ when it’s really an operational issue where most organizations need to be much more people centric. The role of the manager in a resilient cybersecurity culture is not about knowing everything about the technical aspects of IT-security. It’s about being a manager and a cybersecurity leader in the organizations’ security culture.
To put it simple, there are two levels of security culture:
1. Concrete (policies, objectives etc.)
2. Abstract (attitudes, norms, beliefs etc.)
Both levels affect the organizations’ security climate and managers need to help implement and enforce decisions and policies, and to promote a good security culture among colleagues and employees.
As facilitators, managers are simply responsible for making things happen. Establish work processes, delegate tasks, ask the IT-experts for help — and nurture a secure culture and climate. By showing that security is important, supporting employees and trust their competence, they will be motivated to take a personal responsibility.
There are basically five key perspectives that all cybersecurity managers and leaders need to keep in mind:
• Make cybersecurity conversation a part of the daily routine
By starting the conversation about cybersecurity risks in the day-to day tasks and work. Use ongoing awareness training to provide managers with nice conversation starters.
• Let your coworkers shine
Allowing a team member with some expertise or knowledge about security to share that knowledge or examples is a great way of building a security culture.
• You don’t need to have all the answers
Leaders shouldn’t be afraid to be vulnerable and admit that they don’t know all the answers. In fact, sometimes this enables team members to speak up and share knowledge with the group. Be transparent in displaying your own mistakes.
• Reward openness
Share lessons learned with the team and don’t keep them to yourself. Or give the stage to a member of the team to tell something about it: this facilitates a culture where it is ok to report mistakes and rewards openness.
• Actively search for answers
Managers must lead the way to where their coworkers can find the answer and stay curios themselves. If an individual question becomes the quest of the team, it drives a common knowledge development.
Junglemap have just released a new updated version of or course Information Security Awareness for Managers were we in 9 short 3-minute lessons highlight the key issues that managers need to be aware of in order to act as cybersecurity leaders – without being technical IT-experts.