IT leaders widely acknowledge that a strong cybersecurity culture is essential for maintaining an organization’s security. It’s defined as a collective effort that serves as the main defense against cyber threats.
Despite the importance of cybersecurity culture, however, organizations face various challenges that can easily weaken it. ITPro Today’s “State of Cybersecurity in 2023” study, which polled 142 IT professionals, found the following:
- About three-quarters of respondents cited budget constraints as a top obstacle to improving cybersecurity strategies.
- Thirty-six percent pointed to staffing issues as a top challenge.
- Twenty-one percent reported that their organizations had yet to implement the principle of least privilege.
- Thirty-six percent said that their organizations had not implemented zero trust.
Insufficient staffing, constrained budgets, and a failure to adhere to security best practices elevate the risk of a breach. In addressing these challenges, organizations must consider the human side of security. While the term “cybersecurity culture” is often proposed as a remedy, what exactly does this term entail, and how can organizations successfully cultivate it?
Creating a Culture of Responsibility
CISOs and security teams are often assumed to bear the responsibility of creating and implementing an organization’s security practices. The reality is that true security extends beyond these teams. An organization cannot be deemed secure unless every member understands their role in maintaining its security. This sense of collective responsibility forms the foundation of an organization’s cybersecurity culture.
According to Yoav Nathaniel, CEO of Silk Security, a cybersecurity culture should ensure that every employee is educated on security risks and held accountable for contributing to risk-level reduction efforts. Since each employee plays a part in protecting an organization, the security team should serve as mentors and set expectations for the organization’s cybersecurity culture. The security team must teach every employee to not only spot and avoid phishing and malware attempts but also to understand the proper protocols for reporting such incidents.
Even when there is no immediate threat, a strong cybersecurity culture prioritizes proactive measures rather than simply responding once a threat is reported. To that end, Igor Volovich, vice president of compliance strategy at Qmulos, said that continuous security monitoring and thorough compliance assessments are important.
“[A culture rooted in cybersecurity] involves integrating real-time data analysis into everyday cybersecurity practices, ensuring that compliance is not just a box-checking exercise but a dynamic, ongoing process,” Volovich said. “Creating this culture requires a shift from traditional, periodic compliance assessments to a model where compliance and security data are continuously monitored and analyzed, allowing for immediate identification and remediation of risks.”
Who Is Responsible? And For What?
As organizations evolve, many have shifted their approach to security management, moving away from centralized IT structures toward a more distributed workforce model. “IT used to be that there were one to three teams that were responsible for all of IT and security, which meant ownership and alignment were fairly simple,” Nathaniel explained. “Nowadays, organizations may build thousands of applications across hundreds of engineering teams or have international divisions with all sorts of system standards, which is changing the way cybersecurity is getting done.”
Every individual who interacts with IT introduces technology risks, making it crucial for organizations to strategically define IT risk ownership and responsibilities, Nathaniel added. “Well-defined risk ownership can make it significantly easier for security teams to facilitate and delegate risks to their rightful owners.”
With that said, the CISO and security teams are often crucial in developing security best practices and educating employees on how to identify and avoid threats. Employees are frequently considered the weakest link in an organization’s security, which is why they must learn to recognize and report malicious emails, encrypt sensitive data, use strong passwords, and stay informed about evolving cloud security threats.
In addition to education, it’s vital to instill a sense of social responsibility in cybersecurity. This is best achieved when employees feel respected, supported, and engaged in their work.
While security teams are responsible for identifying, mitigating, and taking preventative measures against cyber risks, it’s not their responsibility to own an organization’s overall risk. Many CISOs seek executive buy-in before stepping into the role, ensuring they are not expected to take on cybersecurity responsibilities and liabilities alone.
As CISOs face increasing pressure to prevent breaches and comply with changing regulations, some CISOs are requesting Directors and Officers (D&O) liability coverage, Nathaniel noted. CISOs also seek “organization-wide accountability that is aligned with the board of directors’ risk appetite.”
Making Sure Rules Are Followed
Even when security workers strive to provide employees with sufficient training, challenges inevitably come up. Many organizations cannot dedicate enough time or resources to continual cybersecurity training. Some employees may resist change when asked to engage IT differently, while others might not be interested in cybersecurity at all. Some employees might find the training inaccessible due to technology knowledge gaps or language barriers.
An effective way to make security training more effective is to integrate it into everyday work, according to industry experts. When employees perceive cybersecurity as an integral part of their job rather than a mandatory day-long training session, they are more likely to feel a personal investment and individual responsibility.
Organizations are adopting training techniques that cater to different learning modalities. An example is the gamification of phishing and malware training. By incorporating elements of game design such as a point system, badges, levels, narratives, case studies, and “What Would You Do” scenarios, gamified training makes cybersecurity practices more enjoyable for many users. A gamified approach taps into participants’ competitive nature and may include interactive videos, simulated phishing attacks, puzzles, and role-playing activities.
The Importance of Executive Buy-In
Leadership is responsible for shaping and embodying an organization’s values, so higher-ups must prioritize cybersecurity and model security practices in what they say and do. Beyond emphasizing the importance of cybersecurity through actions and communication, leadership must be willing to allocate funds for cybersecurity initiatives, which tend to be expensive. The financial support ensures that security teams are adequately staffed, trained, and supported, mitigating the risk of burnout.
Leadership also sets the tone on issues of transparency and regulatory compliance. Collaborating with security teams, leadership should establish clear expectations around compliance demands and implement protocols to monitor compliance. These protocols may involve conducting regular audits, implementing security controls, and using threat detection technologies.
In the event of a breach, leaders should be prepared to promptly inform the public about any compromised data. Transparent communication strengthens trust with stakeholders over time and signals to security teams that leadership accepts collective responsibility. The approach ensures that the higher-ups are not exempt from taking responsibility in the aftermath of a breach, further reinforcing the organization’s commitment to cybersecurity.