What does a healthy cyber security culture look like? When you talk about culture and behavior in an organization, you’re talking about the ‘People’ component of cyber security. People are often an attractive target for cyber attacks. In your organization, they likely are the weakest cyber security link and, therefore, represent your greatest vulnerability. If there is one vulnerable department or area, your entire organization is put at risk.
If you are on the board of directors or part of the senior leadership in your company, please let this be an incentive to you: A resilient risk culture helps the board perform their fiduciary duties. Since cyber security is a critical part of risk governance, you want to build a framework of roles and areas of responsibility underneath you. The framework, however, is only effective and sustainable if you can successfully establish a culture of individual responsibility. We have identified five important components of an effective cyber risk culture:
1. Motivated People
This is where the rubber meets the road. If you can genuinely understand the true perspectives of your staff concerning cyber security, then you can find a starting point for communication that affects cyber security culture. At the motivation level, people’s attitudes and beliefs guide their behavior. Here is where decisions are made to either engage or become indifferent to cyber security in your company. Paying attention to this area, which drives employee decisions, and creating a safe place for people to communicate will give you a forum to influence them on a deeper level. This will set the stage for sustained success as opposed to just temporary behavior modification as they conform to standards imposed upon them externally.
2. Communication Channels
Starting with putting capable people in key positions of influence, you want to establish fluid and effective communication channels going both deep into the organization (right down to the front-lines) and wide across the enterprise. This robust and open communication network begins and ends with committed leaders that are setting a positive tone from the top. The leaders make sure that ongoing threat intelligence is disseminated to all areas of the organization and that everyone is receiving up-to-date education, training and support. There is timely information shared horizontally across the departments, maximizing visibility of critical security issues. In terms of reporting security threats or concerns, there is an easy process to escalate issues to enterprise risk leaders. The quality of communication from your cyber security culture leadership will ultimately determine the success or failure of your cyber security program.
3. Catalysts for Change
Closely related to communication channels are the methods a cyber resilient organization uses to strengthen their security culture. In today’s evolving threat environment, ongoing change is required to mount an effective defense to cyber attacks. Not only does there need to be baseline education on cyber security risks, there also needs to be ongoing training to equip your staff to deal with cyber attacks. This must include regularly battle-testing your plans to make sure they are effective and everyone clearly understands their roles and responsibilities. As in most areas, leadership involvement in staff education and training and leading by example will pay dividends for your organization. Finally, providing rewards and recognition to staff from company leadership for good cyber risk management practices will reinforce good behaviors.
4. Alignment with Business Priorities
We have said many times that major business decisions should all be made with cyber security in mind. The other side of the equation is also true: All cyber security decisions should be made with strategic business objectives in mind. In our view, the reason for cyber security is BUSINESS GROWTH — to support business processes, products and services so that your company can not only remain in business, but have a competitive advantage and gain market share. Consistently communicating this message throughout the company (aligning security with business priorities) is part of a long-term road map to cyber security maturity. It is using the ‘defense’ of security as an enabler of business.
5. Inter-Departmental Involvement
A common misconception we regularly encounter is that ‘cyber security is an IT problem.’ To clarify this issue once and for all, the IT function does not equal the Cyber Security function. Cyber security is an area in which all staff are potential targets and, therefore, all staff are responsible to do their part. Every employee in your organization must be educated, trained and regularly updated on cyber threats. Effective cyber security execution requires representation from across the organization, not only from IT, but from front-line staff, sales, marketing, customer service, HR, legal, business unit managers, the Executive Leadership Team and the Board of Directors. Creating and sustaining healthy cyber security culture means that the Board of Directors and the ELT are ‘Cyber-Literate’ along with other capable leaders at the various levels throughout the organization.
Culture is a powerful force that can be leveraged for the good of your organization. In fact, if done correctly, the above five components of cyber security culture will support effective cyber security governance at the board and C-Suite levels. As corporate leaders, your life will be a lot easier if culture is working for you in all departments across the entire enterprise. In our next article, we are going show you HOW to practically go about implementing an effective cyber security culture.
