The recent ISACA-CMMI Institute cybersecurity culture research illustrates the accomplishments and gaps that are seen in organizations’ cybersecurity culture. The survey-driven research focuses on culture and continuous improvement, both essential components to a successful cyber risk management program.
In this blog post, I will highlight some of the survey’s findings and then discuss ways you can improve your organization’s cybersecurity culture.
Some positive steps I noticed:
- 75% of organizations are getting management more involved with cybersecurity culture
- Most organizations can identify business benefits realized through better cybersecurity
- 87% think that better cybersecurity would improve profitability or viability
- 60% of organizations do not have very successful employee buy-in
- 42% of firms do not have a cybersecurity culture plan
- 55% think the CISO owns cybersecurity culture
Achieving a strong cybersecurity culture requires action on many fronts: people, process, technology and outside partners. Culture is people and process. Technology and outside partners are supporting players. Details matter. It’s great that most organizations are getting management more involved. However, it is important that the C-level regularly communicates the importance of security to management and to employees. An annual communication to all employees will not work.
Continuous, incremental improvement is vital. In fact, the root of the word “culture” is “to grow.” Incremental improvement applies to both overall culture and specific elements, like risk management. An effective risk management program is the basis for a good cybersecurity culture.
What factors inhibit continuous improvement of risk management programs (and associated cyber security culture)? Humans can grow but do not accept dire reports of impending disaster – think of Cassandra and the Trojan Horse. Humans may, however, accept incremental adjustments in risk awareness or mitigations. Another reason risk management programs fail to get support is that the CISO is not seen as a “business partner” with other top executives. A promising metric for me was that 87% of respondents believe that better security can lead to better business outcomes. CISOs need to speak in terms of business benefits in order to be a business partner with other CXOs. CISOs also need to build personal relationships with their C-level peers.
Process is the next critical piece of the cultural puzzle. I’m not talking about cybersecurity processes like “patch management” or “privileged identity management.” I am referring to the processes to build a cybersecurity culture. One thing I noticed in the survey is that 55% of respondents think the CISO is responsible for corporate cybersecurity culture and only 6% assign this to HR. I believe that any cultural change must be supported by a partnership involving HR or other “people-focused” centers of influence. Cybersecurity culture is really not different than any other type of culture and established cultural transformation processes can be harnessed for cybersecurity. Businesses have been changing or reviving cultures for years; there is no need to reinvent the wheel.
One resource for cultural transformation is John Kotter’s eight-step model for transformation. Cultural change is the last step in the transformation process. It is preceded by defining a sense of urgency, forming a powerful coalition and five additional enabling steps. Another model for organizational change is Jay Galbraith’s Star model. He highlights the five functions needed in designing an organization: strategy, structure, processes, rewards and people.
These functions can be utilized to create or transform the security organization and culture that you want in your business.