Cybersecurity culture

Effective cybersecurity may be structurally defined in a business, but it is culturally driven. Organizations should work to change the mindset that cybersecurity is just an IT responsibility—it’s everyone’s responsibility and should be rigorously encouraged across the entire workforce. Employee awareness should the first line of both governance (ownership) of and defense of organizational security. By investing in cybersecurity training and awareness with all employees, company data breaches may be reduced (and in many cases prevented), and the likelihood of an effective response when a breach occurs will increase.

What can be done to align your culture toward a cybersecure mindset?
Culture defined is a system of values, beliefs, and behaviors that shapes how real work gets done within an organization. An organization’s culture that allows for quick adoption of cybersecurity practices is one that has the following cultural elements:

• A high degree of commitment, pride, and ownership in the success of the organization.
• A strong sense of a shared belief toward protecting the organization’s confidential information as well as employees’ personal information.
• A focused mission on information security compliance in day-to-day activities.

Beyond fostering cybersecurity, cultures with committed, engaged employees and shared beliefs can also see gains in other areas, such as productivity, profitability, and customer loyalty. Deloitte’s 2014 core beliefs and culture survey (Culture of purpose: Building business confidence; driving growth) reveals that “mission-driven” companies have 30 percent higher levels of innovation and 40 percent higher levels of retention, and they tend to be first or second in their market segment.

Building these qualities in your culture starts with identifying and assessing your organization’s cybersecurity values and then taking targeted action to cultivate cybersecurity via overarching governance and standardized, cross-department practices. The effort would typically include steps like leadership engagement and behavioral modeling, recognition and rewards, strategic communications, talent management, and training—a comprehensive, multi-point program to support and further cybersecurity.

A case in point: One organization’s response
A public sector organization recently fell victim to a security breach when an employee opened a phishing email. This allowed an external hacker access to the agency’s data system, affecting millions of user information records, and in turn, costing the organization millions. Root cause analysis indicated the breach was due to low awareness of enterprise-wide cybersecurity practices by the broader employee base.

Following the incident, the organization performed an assessment of its security capabilities, vulnerabilities, and workforce culture, and calculated the cost of the breach. Executives across the organization’s Security, Privacy and Human Resource divisions collaborated to execute the assessment and determine how the organization could benefit from an Information Security (InfoSec) program.

The need for improved security measures led to the development and implementation of a central InfoSec program for the entire organization, responsible for:

• Cultivating a cybersecure culture focused on preventive practices in daily workforce actions
• Performing risk assessments that evaluated security controls against a central InfoSec and Privacy control framework
• Driving policy implementation guidance on adopting enterprise InfoSec and Privacy policies
• Launching communication campaigns to create a common understanding and acceptance of the InfoSec and Privacy program
• Facilitating end-to-end talent development plans for InfoSec and Privacy staff, including a statewide skills assessment survey, technical competency model, position descriptions, training framework, a career path toolkit, and organization InfoSec awareness workshops

Thanks to this interdepartmental partnership, the organization has fostered a cyber-aware, cybersecurity-driven culture that makes better-informed information security decisions and exhibits safer behaviors throughout its workforce.