How can a CIO promote

CIOs and CISOs spend millions of dollars on firewalls, virus protection and physical barriers to prevent cyberattacks. Yet they often underestimate the importance of establishing a culture that supports cybersecurity awareness and vigilance. Humans are the weakest link in many cyberattacks, and a healthy security culture helps ensure employees follow best practices to mitigate risk.

Cybersecurity culture starts at the leadership level, and a company’s leaders should prioritize the issue. One CEO, for instance, kicks off every all-company meeting with a cybersecurity story—recounting personal experiences or discussing relevant newsworthy incidents. Other executives should also make it clear that cybersecurity isn’t a technical responsibility reserved for IT staff but an intrinsic part of the company’s values and principles.

When the CIO coaching or CISO leads by example, everyone else in the organization sees that cybersecurity is serious business and they should do the same. This is especially important for non-cyber executives, who should be visible supporters of cybersecurity efforts and promote the proper behaviors to their teams.

How can a CIO promote a culture of cybersecurity awareness and vigilance?

To cultivate a culture of awareness and vigilance, companies should provide regular training and reinforce the need to keep up with current risks. Educating employees about how to recognize the latest threats and best practices to mitigate risk will help ensure they follow the right procedures, such as never clicking on a suspicious email or leaving a computer unattended in a public area.

Companies should also emphasize the value of reporting suspicious activities and emails. Employees who do so should be rewarded for their commitment to cybersecurity. Incentives like extra vacation days, free food or increased salary can motivate non-technical employees to support the security cause and take action when they see red flags in their coworkers’ emails, online research or other work activities.

Cybersecurity education is a key component of an overall strategy that also includes fostering a culture of accountability. This requires formally evaluating employees’ behavior and providing rewards and consequences for appropriate and inappropriate responses to cyberattacks. At an insurance provider, for example, if an employee failed to report a phishing attack or made another critical mistake, it would reflect in their performance review.

A successful cybersecurity culture takes time and effort, but it’s worth the investment. Data breaches cost companies millions of dollars, and the more aware an employee is of possible attacks, the less likely they are to be caught off guard by a malicious link or other threat.

While most training programs focus on raising awareness, it’s also important to shift the mindset from awareness to vigilance. For instance, training a user who clicked on a phishing link corrects their error and reinforces best practices, which can help form habits that protect them from future errors.

Some security leaders recruit volunteers to serve as cybersecurity ambassadors and engage colleagues both through formal training programs and informally, such as by encouraging their peers to participate in lunch-and-learn events or other informal interactions. This approach can accelerate the speed and scale of an awareness campaign, while enlisting people who have a natural affinity for promoting security.