Cyber Security Culture: The Missing Link

An effective business strategy is comprised of a series of core elements. Competitor analysis, product-market fit, and organizational capabilities are critical components. They are key links in the chain that enables successful delivery of the business strategy.

Likewise, effective cyber security has several core elements. The two elements most CISOs and business leaders focus on are technology and compliance. Advances in threat detection and internal monitoring technologies are making it harder and harder for bad actors to get inside a company and wreak havoc.  And regulatory compliance policies and processes have the benefit of focusing our attention on prevention and quick response.

If these were all we needed, then we should be winning the cyber security war. But all too often it seems that we are not winning, and in some cases falling far short. The global cost of cyber-crime is currently at around $600 billion and is expected to top $1 trillion very soon. The growth rate of cyber attacks increased 27% between 2017-2018. It’s getting more and more expensive to invest in technology and compliance to try and keep up.

It’s not just large companies being targeted by the growing number of hackers, criminal gangs and nation states. All sizes of business as well as political, governmental and social organizations are under attack. Small organizations don’t have the capital for the latest cyber technology and additional compliance is often a cost burgeon as well.  Yet a successful breach in a small company can easily lead to its demise.

We need another strong link in the cyber security chain!

Cyber Security Culture

Corporate culture is either an enabler or a barrier to successful strategy execution. The same is true for cyber security and so far, we have paid only lip service to the importance of a cyber safe culture. And the data clearly shows how important it is to the cyber security equation.

One of the fundamental reasons why organizations are not focusing more on cyber security culture is the traditional way culture has been defined and how difficult it is to accurately assess the causes, or drivers, that determine our culture?” currently have very little data. Most culture data is subjective at best and the result of employee surveys. I honestly doubt that employee surveys give us a real picture of the culture, and certainly not the cyber security culture.

The classic definition of culture, established in the 1970’s by Professor Ed Schein of MIT Sloan School of Management, focuses on employee behaviours, beliefs and shared values.

A pattern of shared basic assumptions that the group learned as it solved its problems of external adaptation and internal integration, that has worked well enough to be considered valid and, therefore, to be taught to new members as the correct way you perceive, think, and feel in relation to those problems.

As a result, most culture assessments and definitions focus on behaviours, beliefs and values. Extremely hard to quantify and even harder to connect to business outcomes.

But what if such behavioural definitions of corporate culture were actually describing the outcome of a culture, and not the culture itself? An important question to ask to understand culture more deeply is “what in the organisational system is driving or influencing people to behave in habitual ways inside the company”?  With this question in mind, we open up a more fruitful understanding of culture and can define cyber security culture in a way that allows us to map, model and quantify the culture and its impact on cyber risk.

Cyber Security Culture (CSC) is an interconnected system of policies, processes, rules, company goals, leadership focus, management and supervisory actions, and employee attitudes that together influence how all employees behave towards cyber security. 

Looking at cyber security culture as a business system can give the CISO and business leaders new insights, and most importantly, point out specific cyber security risks that are inherent in the culture, but previously invisible.

• Data and metrics are readily available inside the company that can help determine which specific elements of the culture act as security enablers or risks
• Seeing cyber security culture as an interconnected system helps employees better understand how their work and actions directly impact the health of the company.
• A cyber security culture system map points out those various business functions that are acting as stand-alone silos and not an integrated part of the cyber security solution.
• Cost effective solutions can be easily pinpointed to improve the overall effectiveness of cyber security, saving resources and costs against standard across the board “culture improvement” programmes.
• The effectiveness of the cyber security culture can be tracked over time and linked directly to important business metrics. Thus, improving the culture will have a direct impact on cyber security and can be measured.
• A business systems model can help executives proactively manage the culture using culture analytics to determine the impact of proposed change activities.

By having technology, compliance and culture in the tool kit of the CISO, we can make even greater progress on protecting our information and our people from the growing tsunami of cyber crime.  Cyber security culture is our “human firewall”.

John R Childress.  Chairman, CulturSys, Inc.

John is one of the early pioneers in researching, advising and consulting with global leaders on corporate culture and its impact on performance. Beginning his work in 1978 he first learned about the impact of culture after working at Three Mile Island Nuclear Plant following the accident to build a new safety culture. Over the past several decades he has advised and supported global business leaders and teams during turnarounds, M&A, new strategy execution and international expansion where corporate culture plays an important role in success or failure.

Recently he is focusing his work on cyber security culture to bring a key missing link to global organizations in the fight against cyber crime.

His recent books, Culture Rules and Leverage: The CEO’s Guide to Corporate Culture are must reads for a real world understanding of corporate culture.