Think You Have the Right Cybersecurity Culture? Think Again.

Fifteen years ago, the U.S. government designated October as “National Cybersecurity Awareness Month.” As the name implies, the program “is a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online, while increasing the resiliency of the Nation during cyber-threats.”

Wow. An entire month dedicated to helping us ward off cyber-threats. How’s that working out?

I certainly don’t mean to diminish the commitment or efforts by the good people at the U.S. Department of Homeland Security. I understand this is one of those well-intentioned goals embodied by a marketing slogan, and the career professionals whose job it is to keep America, its business community and its citizens safe against cyber threats care more about results than marketing hype.

But in all honesty, can we agree that this is a rather foolish attempt at addressing the problem? Hey, you could have National Cybersecurity Awareness Month/Week/Day/Hour/Minute, and it would probably not move the needle one micron toward a more secure enterprise.

But I can tell you what would: Building an organizational framework of cybersecurity culture—and living it every minute of every day. There’s just one problem with that goal: Too many organizations think they’ve already done that.

They’re usually wrong.

“Culture” is one of those things that have been difficult to define, harder to implement and nearly impossible to measure. It’s like former U.S. Supreme Court associate justice Potter Stewart, who famously said of pornography, “I can’t define it, but I know it when I see it.”

Fortunately, enough attention is being paid to the need and process for creating a strong cybersecurity culture that we can identify some best practices that organizations should consider adopting. And those go far beyond putting up posters in the workplace, holding training workshops and coining catchy slogans like “Security is Job One!”

“When it comes to cybersecurity, culture is a huge deal, and it is a very real component for creating a more secure organization,” according to Patric Versteeg, who regularly advises business and technical executives on how to build and maintain a strong cybersecurity culture. Writing in Navigating the Digital Age, Second Edition, Versteeg talks about the undeniable, universal requirement for every single person to not only comply with the guidelines established in a cybersecurity culture, but to actively participate in their creation.

“Defining and living a cybersecurity culture requires viewing the issue from two different, yet interdependent perspectives: as senders and receivers,” he wrote. Senders (the business and technical leaders) establish the baseline requirements to ensure cybersecurity culture aligns with, and even enhances, the organization’s overall values and behavior. Receivers (those who take in, process and act on the directives) must have skin in the game, not only to follow the rules, but to contribute to the process, he said.

George Finney, chief information security officer at Southern Methodist University, frames cybersecurity culture in an interesting way, calling them “good habits,” in much the same way that physical wellness and healthy relationships are achieved by following good habits. And he is clear in his thinking about how good habits—while intensely personal—are promoted, recognized and reinforced in the overall cybersecurity culture: “The C-suite and the board play outsized roles in promoting this kind of good behavior,” he wrote in Navigating the Digital Age.

His recommendations to business leaders may sound like they come out of Leadership 101 taught at any executive training seminar, and there’s a good reason for that: They are time-tested approaches that have worked in other elements of corporate culture, and they now need to be applied to cybersecurity culture:

  • “Executives need to exhibit ‘intentionality,’ based on the things they do, what they say and how they ask questions.”
  • “Unfortunately, too many executives display an air of entitlement when it comes to cybersecurity habits, often personified by that frightening word: exceptions.”
  • “Executives need to support the CSO and the HR director in institutionalizing training programs for good cybersecurity habit development, and they need to participate in them, as well.”

As Versteeg points out, creating the right cybersecurity culture is much less about dictating fiats and policies, and much more about explaining the implications of risk and in establishing a path toward change management. And one of his most important steps in creating a strong cybersecurity culture is side-stepping the long-used negative approach to cybersecurity–don’t do this, you can’t use that tool or service, you’ll lose you privileges if this happens.

Instead, he said, “Ultimately, one of the best ways to think of a culture of cybersecurity is to talk about ‘getting to yes’ as a way of supporting innovative business ideas without exposing the organization, its employees, and its customers to increased risk.”

“Getting to yes” might be construed as a New Age business mantra relating to everything from how to close a sale to negotiating better timeframes with supply-chain partners. I’m sure hundreds of books have talked about the subject, as well as countless podcasts, webinars, training materials and blogs.

But getting to yes isn’t just consultant-speak for dealing with tech-savvy millennials; it’s about finding a way to balance the need for an engaged, motivated and innovative workforce or user base with the demands to keep the organization, people, and data secure against a rapidly expanding set of threat vectors.

Of course, this is incredibly important, and business leaders need to be extremely vigilant in applying the right sense of urgency to how a culture of cybersecurity is planned, built, applied and managed. I’ve seen some corporate culture experts talk about the need to get employees and users more deeply engaged in this process by “gamifying” the development of cybersecurity culture. But, as someone who’s been on the employee end of this process and the management end, let me be clear about how dangerous it can be to trivialize the creation of good cybersecurity culture. This is not a way to make reluctant employees follow the rules without feeling pressured to do so: This is deadly serious stuff. Of course we want employees and users to be motivated to be active participants in every step of this process, but this is not a game. Money, brand reputations, and, in some cases, even lives will be damaged if this is not elevated to the highest level of urgency.

And whose responsibility is that?

At the end of the day, it’s up to the business leaders—much more so than the CISO, CIO, or individual users of IT services—to set the tone for the appropriate cybersecurity culture. “Leaders must take big steps toward institutionalizing  good cybersecurity habits throughout their organizations,” according to Finney. “Without it becoming part of the corporate culture, it will never be actualized by employees at the office, on the road, or at home.”

Mike Perkowski, co-founder of New Reality Media, is an award-winning journalist who founded, led or helped develop some of the most successful and influential high-tech media properties over the past several decades.