The recent
In this blog post, I will highlight some of the survey’s findings and then discuss ways you can improve your organization’s cybersecurity culture.
Some positive steps I noticed:
- 75% of organizations are getting management more involved with cybersecurity culture
- Most organizations can identify business benefits realized through better cybersecurity
- 87% think that better cybersecurity would improve profitability or viability
Some gaps:
- 60% of organizations do not have very successful employee buy-in
- 42% of firms do not have a cybersecurity culture plan
- 55% think the CISO owns cybersecurity culture
Achieving a strong cybersecurity culture requires action on many fronts: people, process, technology and outside partners. Culture is people and process. Technology and outside partners are supporting players. Details matter. It’s great that most organizations are getting management more involved. However, it is important that the C-level regularly communicates the importance of security to management and to employees. An annual communication to all employees will not work.
Continuous, incremental improvement is vital. In fact, the root of the word “culture” is “to grow.” Incremental improvement applies to both overall culture and specific elements, like risk management. An effective risk management program is the basis for a good cybersecurity culture.
What factors inhibit continuous improvement of risk management programs (and associated cyber security culture)? Humans can grow but do not accept dire reports of impending disaster –
Another reason risk management programs fail to get support is that the CISO is not seen as a “business partner” with other top executives. A promising metric for me was that 87% of respondents believe that better security can lead to better business outcomes. CISOs need to speak in terms of business benefits in order to be a business partner with other CXOs. CISOs also need to build personal relationships with their C-level peers.
Process is the next critical piece of the cultural puzzle. I’m not talking about cybersecurity processes like “patch management” or “privileged identity management.” I am referring to the processes to build a cybersecurity culture.
One thing I noticed in the survey is that 55 percent of respondents think the CISO is responsible for corporate cybersecurity culture and only 6 percent assign this to HR. I believe that any cultural change must be supported by a partnership involving HR or other “people-focused” centers of influence. Cybersecurity culture is really not different than any other type of culture and established cultural transformation processes can be harnessed for cybersecurity. Businesses have been changing or reviving cultures for years; there is no need to reinvent the wheel.
One resource for cultural transformation is
These functions can be utilized to create or transform the security organization and culture that you want in your business.
(This post originally appeared on the ISACA blog, which can be viewed