In order to build a positive cybersecurity culture, security leaders will need to execute certain key strategies and best practices, says Chief Executive of the ISF Steve Durbin
Culture is a catalyst for security success. It can significantly reduce cybersecurity risks and boost cybersecurity resilience of any organisation. Culture can also greatly enhance the perceived value, relevance and reputation of the cybersecurity function. So how can security leaders develop a positive brand and culture for cybersecurity? Over the course of this article, I lay out some strategies and recommendations that will help ensure a culture of cybersecurity is in place.
Understand the prevailing culture and context
To understand why the workforce behaves in a certain way about technology and security, it is important to understand the prevailing cultural context. For example, any regional cultural differences, the particular industry sector, the underlying company structure, the lack of awareness and knowledge of security norms, and conflicting business priorities, can all weigh on any planned change to team culture and security behaviours.
Set the right tone for culture to develop
Traditionally, the security function has been perceived as the department of “no.” Therefore, the primary goal of the security team must be to replace this rules-bound, inflexible, autocratic perception of the security function to one that is open, transparent, positive, creative and collaborative. Make a change from saying “No” to “Yes, allow me to explain how to do this in a safer way.” Make promises, not threats.
Set clear goals and aspirations
As part of the design blueprint for security culture change, the security leader should set clear aspirations for what the team is trying to achieve, underpinned by conversations about how the culture underscores the effectiveness of the team, and the importance of making the change. The team should be given a clear sense of purpose; clarity on why they are here, what they need to do, and how they need to behave and be perceived.
Explore fresh ideas and innovative approaches
Cybersecurity leaders must encourage their teams to explore fresh approaches and new ideas; be less bound by conventions, protocol and historic precedence, putting the organisational need above their own personal agendas in the interests of building effective relationships that drive business value. Think and act positively and strategically, demonstrating ways in which security can support strategy, increase revenues, and maintain profitability.
Focus on your sphere of influence
While the security leader’s ability to change the organisational culture may be limited – certainly in the short-term – there is much to be gained by changing the team’s own culture and demonstrating the benefits of such change. Start by focusing efforts where personal influence is highest. If the change is effective, those effects will be noticed, and others may start to replicate and follow the lead.
Leverage branding principles for culture change
A positive culture is best communicated across the business by the application of a strong brand, and this should be a focal point for any culture change strategy. In other words, think and act like a marketer: do some audience analysis, communicate security concepts in a language your audience understands; make cybersecurity more relatable, engage users and promote security programmes using marketing messages, campaigns and influencers, just like you would promote a product or a service.
Learn to walk in the business’s shoes
Be business curious and ask probing questions about what the business or employee is trying to achieve. Have a growth mindset, including actively supporting and aligning cybersecurity strategies to the business cause. Plan and implement security strategies in concert with employees and stakeholders, as this manifests as consultative behaviour, opening doors to more potentially constructive and valuable conversations.
Hone soft skills
Changing personal style and approach – such as being an active listener, increasing emotional intelligence, being more transparent – can alter employee perceptions and build more trusting, productive, and cooperative relationships. Practicing the art of storytelling, simplifying the language and building narratives that resonate with the audience can help security teams connect with employees at a more emotional and human level.
Justify security changes effectively
It is important to remember that security adds friction by design. If access cards did not have to be used to enter an office or credentials used to log onto a workstation, employees could indeed access data more quickly – but so could everybody else. While this sounds like a straightforward argument, it is easy to forget the importance of communication and explanation. Security leaders must ensure there is a clear and concise explanation as to why any change is being proposed and that employees are given the opportunity to ask questions and receive satisfactory answers. This fosters a culture of trust and transparency.
Adopt a language of risk instead of security
The language of risk can be more relatable than the language of security. That’s because risk is all about the business and generally understood as a concept. The conversation can shift more to a security language when the stakeholder is ready, rather than it being a forced conversation.
The human factor is the biggest contributor to cyber risk and it’s probably also the most difficult to control, mitigate or tame. Security technologies and controls are definitely important but above all, culture is that one missing or underrepresented piece which security leaders must start actively focusing on. Treat employees like they have influence, and they will.
About the author
Steve Durbin is Chief Executive of the Information Security Forum (ISF), an independent association dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best practice methodologies, processes, and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000.
Further information
www.securityforum.org
[email protected]
www.linkedin.com/in/stevedurbin