Culture is a catalyst for security success. It can significantly reduce cybersecurity risks and boost cybersecurity resilience of any organization. Culture can also greatly enhance the perceived value, relevance and reputation of the cybersecurity function.
So how can security leaders develop a positive brand and culture for cybersecurity? Listed below are some recommendations and best practices:
1. Understand the prevailing culture and context
To understand why the workforce behaves in a certain way about technology and security, it is important to understand the prevailing cultural context. For example, any regional cultural differences, the particular industry sector, the underlying company structure, the lack of awareness and knowledge of security norms, and conflicting business priorities, can all weigh on any planned change to team culture and security behaviors.
2. Set the right tone for culture to develop
Traditionally, the security function has been perceived as the department of “no.” Therefore, the primary goal of the security team must be to replace this rules-bound, inflexible, autocratic perception of the security function to one that is open, transparent, positive, creative and collaborative. Switch from saying “No” to “Yes, allow me to explain how to do this in a safer way.” Make promises, not threats.
3. Set clear goals and aspirations
As part of the design blueprint for security culture change, the security leader should set clear aspirations for what the team is trying to achieve, underpinned by conversations about how the culture underscores the effectiveness of the team, and the importance of making the change. The team should be given a clear sense of purpose; clarity on why they are here, what they need to do, and how they need to behave and be perceived.
4. Explore fresh ideas and innovative approaches
Cybersecurity leaders must encourage their teams to explore fresh approaches and new ideas; be less bound by conventions, protocol and historic precedence, putting the organizational need above their own personal agendas in the interests of building effective relationships that drive business value. Think and act positively and strategically, demonstrating ways in which security can support strategy, increase revenues, and maintain profitability.
5. Focus on your sphere of influence
While the security leader’s ability to change the organizational culture may be limited – certainly in the short term – there is much to be gained by changing the team’s own culture and demonstrating the benefits of such change. Start by focusing efforts where personal influence is highest. If the change is effective, those effects will be noticed, and others may start to replicate and follow the lead.
6. Leverage branding principles for culture change
A positive culture is best communicated across the business by the application of a strong brand, and this should be a focal point for any culture change strategy. In other words, think and act like a marketer: Do some audience analysis; communicate security concepts in a language your audience understands; make cybersecurity more relatable; engage users and promote security programs using marketing messages, campaigns and influencers, just like you would promote a product or a service.
7. Learn to walk in the business’s shoes
Be business curious and ask probing questions about what the business or employee is trying to achieve. Have a growth mindset, including actively supporting and aligning cybersecurity strategies to the business cause. Plan and implement security strategies in concert with employees and stakeholders, as this manifests as consultative behavior, opening doors to more potentially constructive and valuable conversations.
8. Hone soft skills
Changing personal style and approach (such as being an active listener, increasing emotional intelligence, being more transparent) can alter employee perceptions and build more trusting, productive, and cooperative relationships. Practicing the art of storytelling, simplifying the language and building narratives that resonate with the audience can help security teams connect with employees at a more emotional and human level.
9. Justify security changes effectively
It is important to remember that security adds friction by design. If access cards did not have to be used to enter an office or credentials used to log onto a workstation, employees could indeed access data more quickly – but so could everybody else. While this sounds like a straightforward argument, it is easy to forget the importance of communication and explanation. Security leaders must ensure there is a clear and concise explanation as to why any change is being proposed and that employees are given the opportunity to ask questions and receive satisfactory answers. This fosters a culture of trust and transparency.
10. Adopt a language of risk instead of security
The language of risk can be more relatable than the language of security. That’s because risk is all about the business and generally understood as a concept. The conversation can shift more to a security language when the stakeholder is ready, rather than it being a forced conversation.
The human factor is the biggest contributor to cyber risk and it’s probably also the most difficult to control, mitigate or “tame”. Security technologies and controls are definitely important but above all, culture is that one missing or underrepresented piece which security leaders must start actively focusing on. Treat employees like they have influence, and they will.