• Bookmark

Transforming Risk Culture Through Organizational Culture Leveraging COBIT 5 for Risk

By Ganapathy Kannan, ISO 27001 LA, and Vinoth Sivasubramanian, CEH, CISSP, DCPLA, ISO 27001 LA

COBIT Focus | 5 July 2016

The point has been made again and again and, as per the Forcepoint 2016 Global Threat Report,1 humans are still the weakest link in security. It is, therefore, essential that information security professionals acknowledge and address this problem. Resolving problems within the human workforce is complex, challenging and daunting, but it is definitely not an insurmountable task.

Addressing modern workplace and workforce challenges, coupled with the growing threat landscape, requires dynamic, out-of-the-box approaches. Traditional approaches such as deploying learning management solutions or conducting a one-day workshop on information security no longer solve the problem. To effectively create and implement a culture that clearly understands the risk and is open to managing risk factors, the people in an organization and the environment in which they are operating must effectively support information security strategies and objectives. This article discusses how to develop and implement a behavioral competency model that enables achievement of information security objectives and describes how COBIT 5 can be leveraged to build and model information security behaviors.

Importance of Organizational Culture to Business

It has been proven repeatedly that “Culture eats strategy for breakfast.”2 It is practically impossible to introduce and sustain a positive change in any function of the business without aligning the organizational culture to strategy. Similarly, this is the case with information security. In order to enable a workforce that understands and practices security as part of daily work life, the organization must implement systems and mechanisms to drive the change and achieve the results it is seeking.

What Is Organizational Culture?

Organizational culture is a system of shared assumptions, values and beliefs that governs how people behave in organizations. These shared values have a strong influence on the people in the organization and dictate how they dress, act and perform their jobs. Organizational culture is also defined as the organization’s immune system that protects the corporate “body” from unhealthy thoughts and deeds. It is an extremely important element for information security professionals.

Human behavior and organizational culture—Humans are the building blocks of any organization and they have considerable impact on its culture. In fact, human behavior and organizational culture are so intertwined that they are both a cause and effect of behavior. Figure 1 illustrates the general factors that affect human behavior at work, as they feed into culture.

Figure 1—Factors Affecting Organizational Culture

Source: Mohammed Almahmoud. Reprinted with permission

Factors affecting culture and human behavior—Of the various factors affecting organizational culture, leadership is the most critical in driving organizational change. In today’s workplace, everybody is expected to exhibit leadership capabilities in the function in which they operate. A failure of leadership means a failure of everything within the organization.

COBIT 5 and Culture

Of the various governance frameworks and standards that are available in the market today (Organisation for Economic Co-operation and Development [OECD], World Business Council for Sustainable Development [WBCSD], Capital Market Authority [CMA] in Saudi Arabia, Securities and Exchange Board of India [SEBI] code on corporate governance, to name a few), COBIT 5 is one that acknowledges the importance of culture, ethics and behavior in the overall achievement of organizational objectives. COBIT 5 also clearly underscores the various interdependencies among culture, ethics, behavior and other enablers, as shown in figure 2.

Figure 2—COBIT 5 Enterprise Enablers

Source: ISACA, COBIT 5, USA, 2012

Effective implementation of COBIT 5 within an enterprise relies on organizations having complete knowledge of the current organizational culture—an understanding often lacking in many. Once the current operating culture of the organization is understood, the focus can then move from where the organization is, to where it is going and where it wants to be, using behavioral modeling. The Center for Creative Leadership (CCL) model of understanding the current organizational culture is quite useful in this regard.

CCL Organizational Culture Operating Model

The CCL developed a model of organizational culture that divides the operating culture into the 3 areas described in figure 3.

Figure 3—Operating Organizational Cultures and Their Features



Dependent leadership culture Hierarchical, conservative. Technical expertise is rewarded and success is based on loyalty.
Independent leadership culture Decentralized decision making. Cross-functional knowledge sharing is prohibited; adaptable, individual performance is rewarded. Synergizes only the individual organization functions.
Interdependent leadership culture Openness and candor. Cross-functional knowledge sharing is enabled; synergy exists across the entire enterprise.
Source: Center for Creative Leadership. Reprinted with permission.

How to Analyze Culture

Humans behave well in a supervised environment. However, to really understand the operating culture of an organization, the authors conducted research in which they observed the way each and every function of an organization operates under the guise of benchmarking service standards. (Management clearance was obtained before conducting the research.) The observations were based on the following artifacts, which are generally represented in any organization’s culture:

  • Language
  • Decision making
  • Working styles
  • Stories

Once the operating culture of the organization was identified, the needs and efforts required to reach the desired operating level were documented. Information security practitioners must be cautious when doing this as not all organizations’ needs and goals are the same.

Findings should be supported with objective reasoning and evidence wherever applicable, as shown in figure 4. This was done at every functional level, to provide granularity. The overall operating culture was calculated as follows:

Figure 4—Example Method of Supporting Documentation


Current State



Information technology Independent Interdependent Medium
Purchase Dependent Interdependent High
Source: G. Kannan and V. Sivasubramanian. Reprinted with permission.

If dependent leadership culture > independent and interdependent, then the overall operating culture is dependent.

A rewards vs. efforts analysis was done before reaching a concrete decision on the way forward and to allocate resources in terms of people and money.

A strategy can then be formulated for every department, as shown in figure 5.

Figure 5— Example of Department Strategy Development


Current State

Effort Required

Plan of Action


Information technology Independent Medium Analyze strengths and weakness of resources. High
Cross-train members using existing resources. High
Hold team get-togethers. High
Document expected behaviors. High
Incorporate expected behaviors in processes. High
Train, retrain and reinforce expected behaviors. High
Source: G. Kannan and V. Sivasubramanian. Reprinted with permission.

Documenting expected behavior is the first step toward building a resilient organizational culture. A sample template leveraged from COBIT 5 for Risk is shown in figure 6. It is intended to be incomplete and provide a general framework. Sample outcomes and behaviors are taken from the assessment exercise described in this article.

Figure 6—Expected Behaviors and Outcomes

Expected Behavior

Key Performance Indicators, Outcomes

Shows positive behavior toward raising issues or negative outcomes. Whistle-blowers are seen as making a positive contribution to the enterprise. The “blame culture” is avoided. Personnel understand the need for risk awareness and reporting possible weaknesses.
Business accepts ownership of risk. Risk practices are incorporated throughout the enterprise. Accountabilities are defined and accepted. IT-related business risk is owned by the business and not viewed solely as the responsibility of the IT department or the risk function.
Each stakeholder understands risk and knows the impact of risk on the organization. Stakeholders make decisions based on practices of risk management.
Stakeholders help one another mitigate risk. Stakeholders understand risk perspectives of other departments and help them by implementing controls from their end (i.e., IT implements certain controls to mitigate risk of operations).
Management follows risk management practices. Management respects the policies and decisions of risk management professionals.
Risk mitigation practices and suggestions are rewarded. Employees who practice risk management in their decision making and who have made a positive contribution toward risk management are acknowledged and rewarded.
Employees are educated on risk management. Employees who complete courses on risk management from ISACA and The Institute of Internal Auditors (IIA) are compensated, acknowledged and rewarded. Reward is based on acquiring new skills and the impact those skills have on the organization and its functions.
Source: ISACA, COBIT 5 for Risk, USA, 2013

Resource Allocation

Once expected behaviors were documented, it was then necessary to assign teams and members to the challenging task of organizational transformation. To ensure this was done in the right manner, the human resources (HR) skill matrix within the organization was leveraged. The HR skill matrix was comprehensive enough to document the technical as well as nontechnical skill sets of various employees. After careful analysis and a personal interview with every team member, they were asked to implement cultural change going forward and were incentivized by a reward system. This ensured transparency and buy-in from the employees at various levels. It also contributed to a motivated and committed team.

The team members were then briefed on the way forward and notified that all members were responsible for the single mission of building an interdependent culture within their functions as well as the organization. The management team then briefed employees on the role that information security and management professionals would play in this task and the methodology of handling issues and progress.

Evaluate, Direct and Monitor Strategy

It is necessary to link the results of Evaluate, Direct and Monitor (EDM) to expected behaviors, outcomes and strategy. If necessary, changes in strategy and behaviors can be made, but not changes to the overall vision. Management and information security professionals acted only as facilitators for reducing noise, mitigating negativity, and suggesting course corrections through discussions for achieving a transformed organizational culture that understands risk and practices risk management as part of everyday work. External expertise was brought in wherever and whenever required, however, based on experience, it was understood that once employees were motivated, innovative solutions would be created without the requirement of external expertise. Document evaluations, corrections and discussions were published on the company intranet portal and opinions and feedback were solicited from everyone. Every function and employee had access to lectures and expert videos on organizational transformation, culture, risk management and other relevant topics. This ensured knowledge dissemination on an ongoing basis.

Management and Continual Improvement

Measurement of behavioral change is probably one of the most daunting and challenging tasks. However, to strengthen and maintain established baselines of culture, ethics and behavior, the organization implemented the following internal mechanisms:

  • Established baselines—After careful consideration of the documented behavioral outcomes, the performance baselines were established. The example in figure 7 is intended to encompass only 2 aspects of documented behavior outcomes referred to in figure 6. Measurement of behavioral outcomes will vary across organizations.

    Figure 7—Performance Baselines


    Measurable Outcomes

    Measurable Criteria

    Employees become knowledgeable on basics of risk management Number of employees who complete the training At least 95% employees to complete the training
    Management respects decision of risk management professionals Number of policy exceptions approved by management that could be dangerous for the organization There should be no dangerous policy exceptions approved by senior management
    Source: G. Kannan and V. Sivasubramanian. Reprinted with permission.
  • Self-assessment and internal review—Team members who were part of the transformation initiative conducted periodic self-assessments on the documented aspects of behavioral change every quarter, and an independent assessment was done by expert behavioral consultants on a yearly basis to validate the results. Reports of these results, after careful anonymization, were published on the intranet with identified timelines on closure.
  • Implementation of open monitoring community resolution systems—As the prime objective of the organization was to drive home an interdependent working culture across functions, an online system/hotline that could be accessed from outside of the organization network was implemented. Focus group members who were part of the transformation initiative also held informal meetings with employees and recorded deviations. This encouraged identification of factors such as managerial pressure on the expected outcomes, which could then be corrected. All recorded instances of nonconformities were addressed through a community resolution system comprised of members across functions and positions. This mechanism was essential to driving home the point that organization leaders are serious and committed to change and deviations would be dealt with appropriately.


As the saying goes, change is hard at first, messy in the middle and beautiful in the end. The overall journey of understanding and improving culture within the organization was implemented over a year with minimal investments. Even if not all of the items on the list, which is extremely ambitious, are achieved, the journey ahead is still worth every effort and makes the organization a more positive and engaging workplace. Therefore, if every organization were to concentrate some time on improving the working culture of its operating environment, it would go a long way in bringing about the necessary results. However, care should be taken not to lose focus on routine activities and the other business targets.

Ganapathy Kannan, ISO 27001 LA

Is a passionate, dedicated senior information security executive with RC Ideal Groups Ltd, who loves implementing frameworks. Kannan is active in the information security community in Chennai, India, and has delivered talks at Nullcon and at ISSACA Chennai gatherings.

Vinoth Sivasubramanian, CEH, CISSP, DCPLA, ISO 27001 LA

Is the chief information security officer for RC Ideal Groups Ltd. His expertise is in topics such as governance, risk management and compliance; organization design; risk management; IT audits; fraud risk assessment and organizational culture. He is a firm believer in the philosophy that only a combination of people, processes and technology can enable a holistic solution to the various challenges faced by organizations. Sivasubramanian is active in the null information security community in Chennai, India and has received accolades from his peers. He was recently given special recognition for his contribution to the governance, risk management and compliance community by CISO Platform, an online community in India.



1 Forcepoint, 2016 Global Threat Report
2 Rick, T.; “Organisational Culture Eats Strategy for Breakfast, Lunch and Dinner,” Meliorate, 11 June, 2014