Simon Sinek has said, “Corporate culture matters. How management chooses to treat its people impacts everything – for better or for worse.” It’s a simple yet powerful thought and something that matters when building an organization. As a cybersecurity professional, my take on the matter is a bit different: Corporate cyber culture matters. How management chooses to treat its cybersecurity impacts everything – for better or for worse. Makes sense, doesn’t it?
Corporate culture is not just how an organization treats its people, but also how the key growth and personnel goals of the organization percolate to the newest employees from the most experienced hands on deck. Building a cyber culture is similar – you need to have the newest folks align with the cybersecurity guidelines – the dos and don’ts – to ensure that cybersecurity incidents don’t damage the organization.
There are two key aspects to building this culture – the operational and the functional. When I mention operational cyber culture, it means that every person with access to data and a device connected to a data network has certain responsibilities toward protecting the company’s data. Whether it is about identifying a phishing mail and not falling prey to it or avoiding sending seemingly non-confidential data or documents to a personal email address outside the organization, the responsibility rests on the individual. A strong cyber culture ensures that employees are aware of data breach and cybersecurity risks, and are equipped to raise a flag when they come across such an incident. This can be put in place starting with board training on cybersecurity and filtering down to staff through methods such as gaming-based cyber training.
I remember the casual approach that employees would take toward data security and data moving about the web in my early years in the industry. If was often a free-for-all, barring a few organizations that took their data and cybersecurity seriously even decades back. We have made much progress since then, but there is much more work to be done.
That includes the second key aspect of building a functional cyber culture – an organizational culture where cybersecurity is a business priority and is viewed by the board as an imperative for the brand. We’re all aware of the mismatch between the jobs in the field of cybersecurity and the availability of relevant talent to fill such vacancies. An organization with a cyber culture would invest in training present and future employees in the skills required to grow the cybersecurity practice.
It’s important to note that, while it might not feel this way to professionals who have been in cybersecurity for a while, the industry itself is in a nascent stage. The advent of the IoT spurred interest in the consumer side of cybersecurity but the major challenges exist on the business side, where connected power grids and critical infrastructure, downstream supply chains and a whole lot more are facing increased cyber threats with each passing minute. In my view, this functional cyber culture needs to come down from the board with a broad-level, organization-wide strategy focused on cybersecurity and cyber resilience.
And boards have every reason to make this a priority. The cost of a cyberbreach is not just limited to the technological infrastructure – it spreads to market capitalization and brand value simultaneously. As a result, regular awareness training and sessions, along with upskilling mandates to involves a higher percentage of the workforce in the practice, should be a part of the cyber culture. Additionally, the role of women leaders and women employees in the field of cybersecurity is of immense importance, especially given their aptitude for problem-solving.
Can this cyber culture be built in a day? No.
Can the process of building this cyber culture be started in a day? Yes.