The force multiplier to organisational cyber security and cyber resilience? Culture.
Award-winning Chief Information Security Officer Mac Esmilla writes that culture trumps technology at World Vision.
There are a number of critical functions and controls that make for effective cyber security practice in an organisation as large as World Vision (35,000 staff in around 100 countries). But there is one that stands out: culture.
World Vision’s culture is built on our four principles: we are Christian, we are committed to the most vulnerable, we value people, and we are stewards (of our resources). When I was recently contacted by the people at Cyber Defense Magazine I told them our approach to cyber security were filtered through these core values.
Why? Because while it is very advantageous for an organisation to have effective combinations of advanced modern cyber security technology solutions, well-designed cyber security architecture, and fit-for-purpose policies, when you socialise them to staff you risk speaking a different language - one people don't understand or find persuasive.
Over the years my colleagues and I have discovered that, by speaking in the language of core values that everyone knows and shares, and by tapping into our organisational DNA we have been able to make significant progress when promoting cyber hygiene and safety.
Instead of talking about data protection technologies or products we talk about the need to safeguard the data of our supporters and the most vulnerability people we serve. We advocate that protecting people’s data is akin to protecting people themselves. Protecting financial data is about honouring the gifts our donors have given us for our relief, development and advocacy work.
Also, we try to speak IT with a humanitarian accent. Rather than trying to persuade colleagues of the need for cyber security and compliance, we rather appeal to the very reason the organisation was founded 70 years ago: disaster preparedness and response. People who work in our industry understand the need to prepare for, build resilience against and respond quickly to the worst-case scenarios.
World Vision has “Be Safe Online Standards” comprising of six essential cyber security measures:
- Spot signs of phishing - Mismatched and misleading information; Use of urgent or threatening language; Promises of attractive rewards; Requests for confidential information; Unexpected emails; Suspicious attachments
- Use antivirus software
- Be careful what you download - Do not download apps that look suspicious or come from a site you do not trust. Do not download and open suspicious looking files. Do not download and install software not approved by the global IT team.
- Practice safe browsing – Do not visit danger online neighbourhoods.
- Update software promptly
- Use a strong password and use multi-factor authentication – we recommend all staff create long, complicate passwords
However, anyone who works in the IT sector knows that all the best practices and the latest-greatest technology products in the world won’t be very effective if you are not also working on the ABC: Attitude, Behaviour and Culture of the organisation. Being an organisation where most staff share the same faith, and everyone is motivated to help children live life in all its fullness means that cyber defence messages delivered through culture and values are more likely to stick.
No system or approach is perfect – we certainly have our challenges – but our approach means that everyone, no matter their location, language or job title knows why cyber-security is as much part of our mission as delivering food aid or getting children into school.
Mac Esmilla is Global Chief Information Security Officer and leads the Global Cybersecurity Programme for World Vision International and was recently listed as one of Cyber Defense Magazine’s Top Global CISOs for 2022 *and* came in the top ten oon the CSO30 ASEAN 2022 list. Judges look at these candidates, searching for the most innovative, with unparalleled success in communicating with their boards and senior level executives, detecting, and stopping breaches and data loss, complying with regulations, and building powerful risk reduction programs for their organisations.