There's no question that building a positive cybersecurity culture is essential to protect your firm.
With most cyber risks coming from employees and staff, culture has a huge influence on your organisation's cybersecurity posture. But what do we mean by "culture", exactly?
Culture is based on “rules or expectations of behaviour and thoughts based on shared values and beliefs within a specific cultural or social group”. A long sentence for sure, but what it really means to me is that culture is a journey. It's about setting expectations and principles and sticking to them. It's about building in predictability and not just walking past a poor example of the culture you are trying to cultivate, or looking the other way when it's convenient. The expectations you set for how your people should behave and act need to be clear well before tools and technology come into play. A lot of companies get stuck in the shiny allure of new technology, but it will only take you so far if you don't have to have the culture to go along with it.
Sowing the seeds of a cyber-aware culture
The first step is establishing a case for cultural change. Kotter established an 8 step process for bringing about cultural change within an organisation, and I find it helpful to refer to it when sparking a significant cultural transition.
- Create a sense of urgency. Make sure people know where the challenges lie. Enlist help to gain support, and make sure the people who are actually responsible understand their responsibility (think CEO and Board).
- Build a guiding coalition. Once the sense of urgency is established, work out who are they key players that will support you.
- Form a strategic vision and initiatives. Agree on what needs to change and the specific actions you'll take.
- Enlist a volunteer army. Include people from your team and firm, and get them to contribute. You might find your next CISO among the people you already have.
- Enable action by removing barriers. Seek approval for budget, tell stories to gain acceptance of the changes.
- Generate short-term wins. Find ways to leverage cybersecurity to provide a win. This could be clients asking for more secure processes so they can give your firm more work, or talking to your cyber insurance provider about how they can lower their fees.
- Sustain acceleration. Don’t stop. Keep pushing for incremental improvements and quarterly updates. Add more initiatives, and make sure they're aligned with your frameworks.
- Institute change. At this point, cultural change should be taking root. Make sure you highlight the positive effects on the organisation and the business as a result of its cultural evolution.
The principles for fostering cultural change
Kicking off a cultural evolution is one thing, making sure it sticks and becomes part of the fabric of your organisation is another. Here are a few key principles that will help ensure a positive, thriving and enduring cybersecurity culture becomes a permanent feature in your firm.
It takes time to establish a strong cybersecurity culture; it takes leadership, risk and planning. You have to define what principles you want, get leadership buy-in, assess risk, legislation etc and then work out the next best steps. One of the things I did when I started this role was to hire someone I trusted and have them report to someone above me. I could've had them report to me, but I believe the CISO should ultimately report to the CEO or highest possible rank whenever possible. Sure there was a dotted line on the org chart, but I just got out of the way and supported them in owning the role. The CISO is key; they have to genuinely want what's in the best interest of the firm, and the autonomy to bring about change. Then overnight (well, 8 or so years later) you'll have a positive culture. Yes, 8 years. In reality, it probably took 5 years of incremental improvement, but this can vary greatly from firm to firm.
It’s really easy just to say no to everything, lock things down and be a human wall. In practice, though, this rarely works. You have to give people enough rope to learn, explore and develop, but have the controls in place to protect them. Doing so creates a collective "us" view as opposed to taking sides. There's still an "us vs them" mentality in many firms, and if you don’t walk this tightrope carefully, you'll find that people work around you rather than with you. If you're not collaborative and inclusive, you might be seen as a blocker rather than a facilitator. You'll stop getting invited to meetings to contribute, and it'll be a very slippery slope to navigate. I have seen CISO level people shut things down, chase utopias and hold on to unrealistic budget expectations, having a cyber-appetite bigger than what the firm is willing to fund. They don’t last very long. As I noted above, the business works out a way to exclude and work around them. It's well and good to have aspirational goals, but you also need to be practical, reasonable and show support. When you receive feedback on your ideas, remember, it's not a "no", it's a "ok how can we work this out" opportunity.
Be a coach
Training, awareness and storytelling are your greatest tools. It's really important to coach your people; mandatory cybersecurity training, in short bursts that are engaging and funny but get the point across, is highly effective. We use Mimecast for training our people with a 5 minute monthly course. This quick awareness refresher on a regular basis reaffirms the importance of cyber and keeps it front-of-mind, which is far better than a once-a year-20 min info dump. Storytelling is a great way to make sure a message sticks. When someone does something well, like fooling a phish attack or asking the right questions, celebrate that. We often use a kudoboard to note stories in real-time, which we use later in board presentations and executive meetings to raise peoples' profiles. And when someone does do something wrong, we don’t hang them out to dry or punish them. Naming and shaming is not just harsh, it's also ineffective. Instead, we coach and support them using similar stories and help people understand the impact, all of which has been far more effective in managing cyber risk.
Leadership teams can and do care about cybersecurity. Awareness is on the rise and they realise they're on the frontlines, so engage them and find out the right level of detail you can share with them. Be transparent but smart; if you don’t have a board per se, substitute that for the leadership team. Cyber culture needs to come from the top and has to be seen as a priority by regular people in the firm. For instance, when you pass a training module in my firm, you get a GIF of our CEO giving you a double thumbs-up, or our CEO will drop you a note based on a positive cyber story. Sure he's been prompted to do it, but it really connects with staff and is really tangible proof that the firm cares about cyber resilience. Bring the leadership team on the journey with metrics, statistics, and external data wrapped up in some stories so they can connect and relate.
This is just a primer, a couple of simple points to illustrate the key elements that go into creating a positive cyber culture. There are so many angles to cover with cybersecurity over and above the technology landscape, it's not easy to cover them all in one go. And as the cybersecurity landscape grows more complex, it's getting more challenging to stay on top of it. That's why ensuring your organisational culture is positive and cyber-ready is really foundational for success.