A process not a product: why changing the perception of cybersecurity is essential for ongoing success


Are you struggling with adoption and adherence to cybersecure practices from employees in your organisation? Or maybe you’ve had some initial success, but are having trouble making the new behaviours remain relevant and an embedded part of individual conduct.

In either scenario, failure to achieve lasting change with any new system, knowledge or process can often be traced back to a missing piece in the process of shifting the employee mindset from passive recipient of information to active investor and catalyst in that idea or thing.

Too often cybersecurity is approached from the perspective of introducing a technology product. Although tech innovation and intelligent product solutions are essential for protecting our safety online, in any cyber campaign there are many important elements that must work together cohesively for progressive long-term success.

Let’s take a look at some of them.

Strategy & Process

If achieving organisation-wide cybersecurity was as simple as installing a new piece of technology and asking everyone to use it, we’d have eliminated cybercrime entirely. Unfortunately, technology is only helpful when used correctly and consistently, along with elevated awareness and buy-in among employees. And for that, you’ll need a long-term strategy.

At Victoria University (VU), our Cyber Strategy spans three years, and contains initiatives designed to firstly quickly address the gaps that were found as part of a thorough risk analysis of systems and processes. Focus then shifts to enhancing our capability to detect, defend, and recover from cyber attacks, before  focusing on automating and augmenting our critical capabilities.

Within that strategy, there are sixteen separate initiatives spanning physical and cybersecurity intersections with certificate and key management, cloud and network security, identity and access management, multi-factor authentication, information and asset classification, privileged access management, security architecture patterns and more. Each is designed to further our strategic goals while enhancing employee awareness and adherence.

As with any strategy measurement of successful awareness raising and observance of new processes is paramount. We regularly monitor levels of employee knowledge and cybersafe behaviour by measuring our ongoing phishing simulations, engagement with our communications, feedback surveys for some of the initiatives, attendance and engagement during workshops and training sessions to deliver some of these new technologies and processes. All of these together show a picture of an increasingly cyber resilient and savvy workforce.

People & Culture

After two decades of organisational focus on cybersecurity worldwide, up to 95% of breaches are still caused by our inability to predict what we and other members of our family or organisation are opening, downloading and sharing. When it comes to cybersecurity, human error is still the weakest link and addressing this through people-centred awareness activities is one solution to countering this risk.

At VU, we operate a series of approaches to creating a more self-aware and accountable workforce that champions the cause of both personal and organisational cybersecurity. Through our proactive cybersecurity awareness program, we help staff, students and the local community learn how to take control of their online safety. Hands-on information sessions, free antivirus software, multi-factor authentication and regular updates on safe browsing, scam emails and phishing, as well as giveaways of essential hardware like webcam covers, have helped create a culture where cybersecurity is seen as an ongoing lifeskill to be practised in all environments, not just something to remember at work.


While cybersecurity is more than a product, picking the right products and introducing them in the right way to support an ongoing process of protection and education is important.

In your decision-making, you should focus on how well the product will lend itself to end-user adoption and ease of training, as well as gather the support and excitement of end users and stakeholders prior to deployment.

Consider conducting a pilot of the new technology with a small group within your organisation to test and monitor user-experience, level of support and training required and satisfaction with the technology before implementing organisation-wide. When it comes to rolling it out, adopt a phased approach to ensure hypercare is available to each section of your organisation as required. And count on regularly checking back in on an ongoing basis to ensure the technology is still being employed and address any difficulties with user process.

At VU, technology is considered for implementation if it meets broader strategic goals, business needs, and end useability. There must be answers about why do we need a solution, why this solution, how would it work, and what does it improve or fix. This approach was taken before landing on a Multi-factor Authentication solution for VU moving forwards. We needed it because it solved a critical security problem for the organisation, it solved it in a way that was easy for our staff to adopt – with minimal training and setup required. And when communicating about it, we heavily focused on why it was needed, the fact that it helped stop criminals from accessing staff accounts, and that MFA is something they should definitely use in their personal lives too. Even after a year after implementation, we continue to communicate the benefits of MFA in personal lives.