This article argues that a culture change program is essential for an effective cybersecurity program and a return on cybersecurity investments. Three premises support the argument. A culture change program integrated into a cybersecurity program ensures that:
- A systematic approach is adopted to address the changes required for any cybersecurity improvement.
- Culture fit is addressed in cybersecurity product and tool implementation, and teams are adequately informed on how to use them correctly.
- The primary cause of breaches and human vulnerabilities are addressed systematically.
The article is outlined on these three premises. This article is a part of a three-series article. The next article will shed light on why it’s challenging to build and sustain cybersecurity culture and why few organizations approach cybersecurity culture in a structured and systematic way, even though they realize the high ROI of this activity. The last article in a series of three will provide a roadmap on how to start building and sustaining a cybersecurity culture.
Improving cybersecurity requires change
Cybersecurity programs aim to improve an organization’s security posture. Improving always implies that some things (or in other cases, many things) need to change. However, it is evident from our past experiences that changing human behavior can be demanding.
In general, most individuals would like to see change, but few would like to change. You can take smoking and exercising habits as the most common examples of how trying to change human behavior often fails. Rationally, individuals understand the negative consequences of these habits, but fail to change even when presented with the overwhelming health benefits.
If individuals are reluctant to accept change even though it may cost their lives, what makes cybersecurity decision-makers believe that an organization’s employees will adapt to new desired behaviors that today’s digitized working environment demands?
Often, not taking the employees involved and affected by a digital transformation into consideration is why projects struggle to achieve their objectives. From a cybersecurity perspective, improving cybersecurity requires a change in strategies, processes and technologies. These changes do not happen by chance. An organization’s employees are the ones ensuring that:
- Cybersecurity strategies are operationalized throughout the organization.
- Cybersecurity products and tools are properly utilized.
- Cybersecurity requirements and required behavioral changes are being adapted.
The implementation is the most challenging stage of a cybersecurity program. In establishing the foundation of cybersecurity governance, including principles, roles and responsibilities and strategic, tactical and operative governance, documentation often works well. The challenge here is to:
- Create concise documents that are easy for users and other key stakeholders to understand and follow.
- Ensure that operational instructions have a clear link to the overarching principles and goals.
Most organizations struggle in ensuring cybersecurity ownership throughout their organization, including ownership of the requirements and responsibility to implement new routines that the cybersecurity operating model describes. If employees fail to understand the rationale of cybersecurity requirements and why they need to change accordingly, the change motivation is likely to decline over time. In addition, if employees lack the necessary skills or tools to adapt to new working routines, they won’t know how to change and comply with cybersecurity requirements. Here is where the role of a culture change program to achieve desired cybersecurity culture comes into play.
Organizational culture is a pattern of basic assumptions that a group of individuals has developed in learning to cope with its problems1. Therefore, building a certain culture can help govern appropriate behavior in relation to the given set of problems in a group of individuals. A shared organizational culture inﬂuences individuals’ intrinsic beliefs (attitudes, normative beliefs and perceived control to perform a task). By building a certain organizational culture, the likelihood of employees adhering to policies governing proper behaviors increases.
The purpose of building a cybersecurity culture can help obtain three outcomes:
- All employees are aware of and understand cybersecurity requirements and the responsibilities they imply.
- All employees possess the appropriate knowledge, skills and motivation to adhere to cybersecurity requirements.
- All employees are aware of the cybersecurity threats relevant to the organization and knowhow to combat them.
Building a cybersecurity culture fosters an organizational acceptance of cybersecurity requirements, as well as create a cybersecurity-aware and threat-resilient workforce. Therefore, building and sustaining cybersecurity culture increases the likelihood of organizational adherence to policies and better individual management of cybersecurity threats2.