Cybersecurity Culture: Practice Matters

August 07, 2020 by Becky Metivier

Cybersecurity Culture: Practice Matters

So, you’re well on your way to creating cybersecurity culture in your organization. You’ve built a foundation of institutional knowledge, and you’ve carefully considered how people, process, and technology play a role. But there is one more element to think about… that is testing.

But not just testing. Practice is also important. One of our security advisors often says you can’t think your way into playing the piano. Practice will help you achieve cybersecurity resilience. Have you ever done well on a test you haven’t practiced or prepared for? Most likely, no.

Your test results will often dramatically improve when you practice. By nature, we approach tests differently than practice. During tests, people often get into a weird headspace. There’s pressure to perform, and that can adversely affect performance. Learning doesn’t typically happen in a test environment either.

What does it mean to practice cybersecurity?

IT procedures are a good example of ongoing practice. IT professionals are always practicing some form of response procedure. Tasks such as building systems, changing systems, and configuring systems are exactly the kind of process-oriented practice for a disruption or disaster. Those roles outside of IT don’t usually get the opportunity to practice their cybersecurity responsibilities.

The whole point of practice is to exercise a capability, so you can improve without measuring performance. When performance isn’t being measured, people tend to be more relaxed and not focused on learning.

The body and the mind need to get memory of things, and practicing is a great way to do that.

Types of Practice

  • Phishing Practice: Have participants try to identify phishing emails, and reward them for meeting certain goals, such as identifying the clues that make it a phishing email. Then, put all the correct responses in a hat, and give away a gift card. It’s always important to use carrots instead of sticks during practice.
  • Vishing Practice: Get a group together to run though telephone or network pretexting scenarios. First, have someone run through the scenario in the correct way, then give everyone a turn to do it themselves.
  • Undocumented Disaster Recovery Practice: This includes system restoration, backup restoration, and changing over to alternate sites/equipment. You should also practice manual process testing and downtime procedures.

Now You are Ready to Test

Testing can assure your controls are working as designed and intended to and includes:


  • Social Engineering: Vishing can ensure employees know how to identify fraud attempts over the phone. Phishing emails will help ensure they know how to identify fraudulent emails and websites. Both will also enable you to ascertain if you’re providing the proper training.


  • Audits can help you determine if processes are working and allow you to understand if everything is operating according to policy.


  • Perform external penetration testing to ensure your perimeter defenses are properly configured, patched, and monitored.
  • Internal configuration analysis and vulnerability scanning can help ensure hosts are properly hardened/onfigured, patched, and monitored.
  • Disaster recovery testing will ensure alternate sites, equipment, and connectivity are functioning as expected.

Regular testing as a great way to solidify your organization's cybersecurity culture, but be sure to practice the skills to ensure cybersecurity resilience.

Related Content