According to newly released ISACA and CMMI Institute research on cybersecurity culture, only 34 percent of employees have a sound understanding of their role in their organizations’ security culture. While some may find this statistic startling, I see it more as sobering. It’s a stark reminder that a culture change does not happen overnight, and when it comes to cybersecurity, it comes as no surprise that 95 percent of respondents indicate a significant gap between the culture their organization desires versus the its current state. The ISACA and CMMI research also found that a lack of employee buy-in is the primary factor inhibiting a strong culture of cybersecurity. And a subtle irony of this is that employees are the weakest link in the cyber threat chain. However, as pointed out in a 2017 ENISA report, employees also offer the potential to “become robust human firewalls against cyber attacks.”
Critical to an organization’s culture is the high dependency on its shared beliefs, its values, and most importantly, the actions of its employees. Workplace culture expert and author Jamie Notter notes that culture is, at best, difficult to change, often taking as long as eight years to evolve into its desired state. But with the threat surface expanding at an exponential rate, and the threat landscape moving at the speed of change, how long do we really have to make the cultural shift?
I suggest thinking differently. Instead of simply referring to the need to change our organizational culture, let’s invest our efforts in making this a more widespread movement to combat cybersecurity threats. In a 2017 Harvard Business Review article, Bryan Walker and Sarah Soule reference five practices for leading a movement:
Why is a movement to combat cyber threats important? It is a risk management and business issue in support of the organization’s success, profitability and sustainability. Nine in 10 respondents to the ISACA and CMMI survey indicate establishing a stronger cybersecurity movement would increase their organization’s profitability and viability — two variables that are essential to any enterprise’s well-being. But wait, there’s more. Link the movement to local and global economic prosperity, and to assurances of public safety. Create experiential training around this to embed it into employee thinking and behavior.
Employees share concerns about cybersecurity and want to do the right thing. However, they find themselves unsure of what they can do in their current role. There is a lack of understanding of what actions are deemed by the organization to be representative and valued in the fight against cyber threats. Enterprise leaders need to share accountability for removing this ambiguity by showcasing examples of successful employee efforts, no matter how small. Then employees will have the confidence to rise up and take further action.
This means that coalitions should be formed both inside and outside of the organizations. If your internal coalitions get together, they will breed energy that will be contagious across all other groups. If the organization can shape relationships with other enterprises, the movement spreads beyond the organizational boundaries and the return on investment increases exponentially.
Fostering trust between the security team and employees is another important component of healthy organizational cyber culture. Even with the deployment of coherent policies and regular training, mistakes will inevitably be made. Sketchy attachments will be opened, unapproved software will be down loaded, and employees will plug in unidentified devices. When these and other mistakes occur, employees must feel comfortable reaching out to their organization’s security team to report any concerns so that corrective action can swiftly be taken. Organizations must strike the appropriate balance between emphasizing accountability for all employees’ actions without discouraging them from sharing issues that arise for fear of the consequences.
It may sound trivial but consider things as simple as providing employees with a T-shirt, bumper sticker, or button supporting the cybersecurity cause and giving the wider employee and customer network an increased sense of purpose, pride and resolve.
Our work to date can be classified as “one small step” for the movement. Let’s now double down and cause the movement to take a “giant leap” toward a unified and global stand against cybersecurity threats and attacks, while creating assurance that innovation, economic prosperity and safety for all the world’s citizens can be an inspired reality. The cultural change will be a natural outcome of our movement.