Amid relentless cyberattacks and mounting regulatory pressures, security culture has been thrust into the spotlight. Often underestimated, security culture has profound effects for organizations. It’s crucial to recognize security culture as a shared tapestry of attitudes, beliefs, knowledge, and values that directly informs an organization’s ability to withstand adversity. While it’s easy to cultivate a culture of blame, fostering resilience by empowering individuals presents a far more formidable task.
Consider this question: Within your organization, do individuals feel free to openly discuss and elevate potential enterprise-level cyber concerns? For the majority, the answer is a resounding no. In these organizations, fears run the gamut of shaming, losing trust, or even job security.
Yet it should be patently clear that a poor security culture complicates roles and risks harm to the enterprise. Take chief information security officers (CISOs), whose tenure is the shortest in the C-suite, at a mere two years. CISOs face daunting obstacles — a striking example is the counterproductive idea of “one throat to choke.” While commonplace in vendor relations, the phrase also finds use in the unfair burdening of CISOs with responsibilities that should be shouldered by an organization. Confrontational postures pit C-suite leaders against each other, yielding fragility. The mounting pressure is undeniably taking its toll on CISOs, exacerbating workforce challenges and the safeguarding of organizations when the attack surface is growing and AI-enabled cybercrime is making headway.
Prioritizing People
Does your security culture fall into the all too common binary “All is well when things run smoothly, but chaos ensues at the hint of a breach”? If so, it’s imperative to take a hard look at your security culture. Leaders might draw inspiration from aviation security and consider adopting a “just culture” approach. Far from blame-shifting, “just culture” assigns accountability and responsibility without emphasizing blame.
The opposite values are too easy to instill. Take poor cybersecurity training that enshrines shame. Backfires may occur when otherwise well-intentioned employees are targeted with misleading emails designed to entice into engaging with malicious content. Failures are then used to justify further training. In other cases, employees may endure monotonous regimens aiming for compliance with iffy policies. Worse still, many times training efforts fail to keep pace with current threats, feeding into security fatigue. Leaders would do well to pay close attention to the values instilled in risk training and ensure that it aligns with their culture.
A New Path for Leadership: Alignment and Accountability
To get security culture right, an organization’s leadership needs to demonstrate commitment to cybersecurity by prioritizing resources and advocating for transparent practices and accountability. Remember that while responsibility can be delegated, accountability flows upward.
When there is no clear accountability in cybersecurity, small issues can cascade to become the basis for serious breaches, triggering costly recovery efforts, lawsuits, and government regulatory actions. Consider how the new SEC cybersecurity rules address accountability and risk management.
Organizations should work to foster a culture of collaboration, education, and shared responsibility. This involves educating leadership about the evolving threat landscape, establishing clear reporting structures for cybersecurity, aligning security goals with overall business objectives, and ensuring that cybersecurity is consistently integrated into decision-making processes.
Leadership alignment issues are apt to arise, typically when executives do not share a consistent vision and commitment on enterprise risk. And visions are deeply tested in crises. Among the most glaring problems is inadequate communication between business units or leaders, hindering the timely exchange of information when it is needed most. Inconsistent governance may also yield more confusion regarding cybersecurity policies, roles, and responsibilities. (Professional tip: NIST’s new Cybersecurity Framework 2.0 now includes the category “Govern.”)
Changes in culture and leadership awareness are hard won. Leaders might resist implementing new measures that are perceived as disruptive to existing operations. While it’s imperative to row away from the rocks, leaders might prioritize short-term financial gains over long-term resilience, missing investments in cybersecurity — such as visibility into the network — that offer incremental improvements. Often, such concerns are allayed by better, plain language information sharing or tabletop exercises that address the consequences of breaches or the necessity of resources for cybersecurity.
Senior leaders can demonstrate their commitment to cybersecurity by following best practices. Consider the example of CEO Werner Lanthaler, who rushed to his office after discovering that his biotech firm Evotec had suffered a cyberattack. Lanthaler led from the front, speaking to stakeholders, employees, and the media while remediation took place. Would your organization’s leadership be prepared to do the same?
Given the stakes, it’s time to become guardians of the cyberverse by prioritizing people and security culture. Whether achieved through AI-enabled automation, proactive identification and resolution of issues, or the equitable distribution of risk management responsibilities, the goal must be resilience. Nothing less than your organization’s future is at stake.