How to Create a Culture of “Healthy Paranoia”

Dan Holden of BigCommerce shares his take on how healthy paranoia plays into creating a positive culture of cybersecurity.
laptop keyboard and security icon

In an increasingly connected world, no one is immune to cyber security risks. You don’t have to be in the middle of an incident to know that cybercrime and data breaches are widespread across all industries — and capable of bringing even a major corporation to its knees. In fact, according to Flashpoint’s 2022 Year in Review, there were a total of 4,146 reported global data breach events in 2022.

On the other hand, with social media’s massive adoption and smart devices becoming increasingly commonplace, many of us are also guilty of being too lax about cybersecurity. How many times have you reused the same password across multiple accounts? Or clicked on a suspicious link you shouldn’t have? Needless to say, being neglectful about cybersecurity can be just as dangerous as being too rigid.

So where’s the happy medium? That’s what we at BigCommerce like to call “healthy paranoia.”

What is “healthy paranoia?”

A study from Stanford University and Tessian found that roughly 88% of all data breaches are caused by human error — which goes to show that cybersecurity is not simply about leveraging the best technologies, but instilling an awareness in your employees.

Of course, raising awareness through fear-based tactics or taking a draconian approach can cause more harm than good. If your security team is only associated with doom and gloom, employees may become too afraid of messing up and less apt to speak up when an incident does arise.

Instead, the goal of healthy paranoia is that everyone in the organization feels empowered to report incidents, ask questions and collaborate to find solutions. Rather than trying to slap the hands of employees, an organization with healthy paranoia has an open-door policy, where there are no “stupid questions,” and more than that, all questions are welcomed and encouraged — and that all starts with building a strong company culture. This means establishing a set of attitudes and beliefs that drive safe behaviors, as well as nurturing a sense of responsibility in employees that their daily actions impact the organization’s risk.

So how do you practically build a culture of healthy paranoia? Here are three actions to follow:

  • Start at the top
  • Cultivate strong relationships
  • Guide internal teams to be security champions

Start at the top.

If you want to build a lasting company culture, it starts from the top.

In fact, during his onboarding with BigCommerce, our own CEO, Brent Bellm, made a suggestion to IT about reducing risk — and even in a meeting today, many of our executives brought up the conversation of risk before I could.

This goes to show that getting buy-in at the leadership level first is crucial before targeting the rest of the employee base. If employees see their managers, directors and especially C-suite executives practicing cybersecurity best practices, they’ll likely be more apt to follow suit.

Cultivate strong relationships.

During my 25 years of experience in the cybersecurity and IT industries, I have learned that a key component of success is building strong relationships between security teams and the rest of an organization.

With an often reported average tenure of two years, many CISOs can come into a company like a bull in a china shop their first year looking to make bold moves — rather than taking the time to build relationships. Now this can happen for a variety of reasons, perhaps a recent breach or even compliance or regulatory needs that require a fast paced roll out of security controls that can heavily influence how employees view that new CISO and the security program as a whole. When I came into BigCommerce I was fortunate enough to spend the first year focusing on three things: our merchants, our infrastructure security and, most importantly, cultivating strong, collaborative relationships.

Why? Because your employees have the potential to be your greatest security control.

This is especially important with a remote workforce, where building those relationships can be easier said than done. It’s easy to have your employees click through a training video, but it’s much harder to get them to actually want to see your email or take your call. Without the convenience of seeing employees in an office, being able to grab lunch or have a casual conversation in passing, security teams must be more deliberate in building those relationships remotely.

Although cybersecurity education is important, building strong relationships between security teams and the rest of your organization is foundational to creating a lasting company culture. Make sure your security team has an open-door policy, where all employees can feel comfortable and encouraged to ask questions and point out incidents. Carve out time to reach out and get to know your company’s employees. Involve them in tabletop exercises and incidents and encourage collaboration. While not every CISO is able to kick off their tenure with a company doing this, it’s important to realize the foundation that a positive security culture can have on the overall security program.

Guide internal teams to be security champions.

One of the biggest challenges for security teams is that they’re often seen as blockers to the organization. However, by guiding internal and external teams to become security champions, organizations can overcome this tension and even work side-by-side with internal teams to create a strong cybersecurity culture.

A security champion is an employee — on any team within the organization — who acts as an extension of the security team, helping to enforce and encourage cybersecurity best practices and stay on guard for any potential security incidents.

But how do you equip employees to become security champions?

Of course, there’s nothing more educational than an incident. As the old Warren Buffett quote goes, “The chains of habit are too light to be felt until they are too heavy to be broken.” You don’t learn from getting things right; you learn from getting things wrong. But no company wants to go through an incident, no matter how educational they may be — which is why tabletop exercises and training programs can be so beneficial.

Many of your employees, especially sales and support, are your frontline defense against a number of common tactics, such as phishing and social engineering. By engaging them in tabletop exercises and training programs, they’ll have the knowledge and confidence to do their part in defending your company against attacks.

The Final Word

Living in an age where cyber attacks and data breaches are commonplace, it’s no secret that cybersecurity is top of mind for many organizations. But just as it can be detrimental to be too lax about cybersecurity, it can be equally dangerous to be too fearful.

Building healthy paranoia means not only having the right technology and education, but also investing in a strong cybersecurity culture. This begins by starting from the top, cultivating strong relationships and encouraging internal teams to become security champions. By viewing security as not just a team, but as a function that everyone in the organization is involved in, your business will be well equipped to create an environment that thrives in security.

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.