Why You Need a Cybersecurity Culture

And 7 Ways to Build a Strong One

Many executives recognize cybercrime as a business risk. But only 36 percent of organizations in an EY study say that cybersecurity is involved from the planning stage of new business initiatives.

The problem? Adding technologies or services – such as a third-party cloud service – can introduce new threats to the organization, adding risk that it may not be prepared for.

To mitigate risk effectively, organizations must foster a culture that evolves their cybersecurity function to a more integral role in the business. And it starts, as they say, at the top.

What is a cybersecurity culture – and why do you need one?

In too many companies, the importance of cybersecurity is misunderstood – even underestimated – by the lines of business, and even operations like finance.

No longer just a back-office “problem,” a company’s cybersecurity effectiveness directly impacts the business.

Still, 48% of organizations in the earlier referenced EY study say their board does not have a full understanding of their cybersecurity risk – and nearly half lack confidence in their cybersecurity program.

An executive-led commitment to a better, more collaborative relationship between the business and the security team is critical to bridging this gap – and begins with helping employees in all areas of the business understand the benefits of being a more secure organization – as well as the potential impacts of insufficient security.

It’s more than just establishing awareness, though. Secure operational practices must be adhered to, and permeate day-to-day activities across the organization – and from top to bottom.

How is this level of commitment to security attained? It must be woven into the fabric of a company and the attitude of its employees through the establishment of a strong cybersecurity culture – the set of shared principles, ideas, processes, and training that communicates, influences, and guides enterprise-wide behavior in order to protect the company’s information and digital assets.

A cybersecurity culture is, according to Forbes, “the most important element in an organization’s security strategy.”

It’s everyone’s responsibility

Cybersecurity tools and technologies alone aren’t enough to keep criminals at bay. Employees play a big part too, and a strong cybersecurity culture can help reinforce their collective responsibilities, behavior, and commitment to keeping your organization safe.

If you don’t have a cybersecurity culture (you’re not alone!), or need to strengthen an existing one, follow these 7 tips:

  1. Share the Bigger Picture
    Share with your employees where cybersecurity fits into your overall corporate strategies and goals. Explain the roles that functional teams and individual team members need to play, based on the position and strategic decisions the executive leadership makes.
  2. Provide Regular Training and Education to Increase Team Member Confidence
    Technology users are the most significant risk to cybersecurity. According to Stanford University researchers, 9 in 10 data breach incidents are caused by employee mistakes, including clicking on a phishing email. Regular training and exercises, such as phishing simulations, can be beneficial and can help to reduce human error – and therefore, reduce risk.
  3. Remove Fear
    Many employees are afraid to inconvenience or “bother” the IT or cybersecurity team with something they think might be silly. But early detection of threats is key, so encourage employees to share anything that looks suspicious with your security team, and ensure that your security and IT teams partner with employees – welcoming their information and cooperation as a first-line of defense.
  4. Encourage Two-Way Listening
    Many security vulnerabilities are created by security teams inadvertently adding “friction” to the security process in an effort to strengthen security. But if security measures are too complex or take too much time, employees will create workarounds – such as creating shadow databases and financial reports – to enhance their productivity and make their lives easier. Compromises between security and productivity may be needed in order to develop solutions that align with your cybersecurity culture.
  5. Engage Employees, Don’t Lecture Them
    Cybersecurity policies and procedures must be updated regularly, but need to be presented to employees in a way that is easy to understand, concise, and that reinforces and encourages their participation in terms of the “all-in” benefit to the organization (reducing risk, improving security posture, etc.). Keep the frequency of the updates to a minimum so that recipients aren’t tempted to tune out.
  6. Celebrate Individual Successes
    Highlight examples (no matter how small) of employee efforts to reduce risk. This will make the employee who took action feel valued and will reinforce the idea that all employees have an important role to play in keeping your organization safe.
  7. Celebrate Organizational Successes
    If the organization meets specific cybersecurity performance metrics, celebrate. If there is a breach, but it was handled well, and the damage was minimized, celebrate that as well.

While adjusting the culture and behavior of your organization from top to bottom is not a simple – or quick – task, it’s worth the effort. Use the tips above and take that first step toward a safer organization today. A strong cybersecurity culture is a crucial component of your overall strategic cybersecurity plan, and one that will actively contribute to reducing risk and improving your organization’s security posture.