On April 12th, 2023, we hosted cybersecurity leadership expert Dr. Jessica Barker for a conversation about how to create a culture of cybersecurity - and how doing so can lead to better security outcomes and an improved security posture. The conversation was hugely helpful in laying a great foundation about what cybersecurity looks like, why it’s important, and how to approach it.
Before talking about how to build a cybersecurity culture, the first step was to agree on what that really means. Culture is made up of both behaviors and attitudes. It’s shaped by the values we share, the perceptions that we have, our thoughts and feelings, and the way we talk about things. For cybersecurity, that often means having an organization that’s built on having a respect for security, an understanding of how security relates to the overall business goals, and open communication across the entire organization.
The right culture prompts the right actions: the day to day practices like asking questions if something seems suspicious, following through on training, and paying attention. It’s about having the right mindset and attitudes towards cybersecurity that takes teams beyond awareness and into action.
“Every organization has a cybersecurity culture whether you are actively managing it or not.” - Dr. Jessica Barker
Two key drivers to a strong cybersecurity culture
Culture is created by many people and many pieces, but Dr. Barker outlined two crucial elements that the organizations with the strongest cybersecurity cultures have.- Behaviors of leadership: Cybersecurity culture relies on leaders and starts at the top. Leadership needs to be practicing the behaviors they want to see others model. And leadership should mean anyone from the C-suite all the way to team managers - anyone influential and respectful should be prepared to shoulder security responsibilities and model healthy, positive cybersecurity habits. The best leaders showcase this through open communication, admitting mistakes, and talking through the process of identifying and remedying any missteps.
- The right tools: Dr. Barker cites the importance of employees having the right tools they need to change their behavior. How is security supporting people through tools, technology, and training? A layered approach - one that includes password management tools, regular education on security best practices, new employee onboarding with strong security guidance, and open communication as to why security underlies the success of the whole organization - is an approach that empowers all users.
Quick tips for supercharging your cybersecurity culture
Building or changing any culture isn’t something that can happen overnight, but Dr. Barker provided us with small steps that you can take to create real impact.- Link back to overall culture: Creating a cybersecurity culture isn’t about reinventing the wheel; it’s about expressing the “why this matters” of security using what already drives and exists inside your business. What’s your company’s mission statement? What are your pillars and values? If, for instance, one of your guiding values is customer service above all, you can easily make that relevant to cybersecurity as well; securing customer data security and privacy are paramount to a positive customer experience.
- Ask your teams: Using surveys, assessments, and focus groups, you can find out what your employees’ attitudes are on cybersecurity. Where do they see gaps? What would make it easier for them? Can they talk about why cybersecurity matters to them or how it personally relates to their roles?
- Designate a security champion: Sometimes, it can be easier to talk to our peers and teammates than leadership or even just the rule-making security team members. Dr. Barker noted that it can be difficult for employees to reach out to IT or security leadership to ask questions, whether it’s because they’re afraid of asking questions they think they should know the answer to or because they don’t actually know who their point of contact is. She recommends that businesses appoint one person per department to be the contact for all security questions, and that person can either go through best practices directly with a user or can make sure that they level up a problem, concern, or question to someone on the security team.
- Job shadowing: Hosting a “day in the life” event where employees are invited to get an inside look at the tools that security teams use, the issues they face, and how their jobs intersect with other elements of the business can help make security more personal for individuals in their own day to day.
- Take a deep dive: Our “From Cyber Resistant to Cyber Resilient” ebook is an in-depth guide on the right questions to ask, the right steps to take, and the right KPIs to measure when it comes to creating a strong cybersecurity culture at any organization.
