A positive cybersecurity culture empowers organizations to build robust defenses against cyber threats that extend past security tools and into the everyday lives of their workforce. Organizations that foster a culture where individuals actively engage in protecting the organization against potential threats can see a significant reduction in the recovery time of a cyber attack and even the overall likelihood of a successful cyber attack.

Cybersecurity training vs culture?

The main difference between cybersecurity training and cybersecurity culture is that a culture implements values, attitudes, and beliefs centered around cybersecurity. With a strong cybersecurity culture all employees have a sense of shared responsibility for protecting the organization’s assets and data. Not only are employees aware of security policies, procedures, and best practices, but they are actively engaging in behaviors that work to protect the organization. Cybersecurity training can be an effective first step to strengthen an organization’s first line of defense, but it is just one part of a larger organization-wide goal to create daily engagement with critical cybersecurity practices and ensure strong information security practices are continually enforced.

Creating a positive cybersecurity culture

Leadership

Leadership plays a central role in shaping organizational culture. Cybersecurity is no exception. While it’s typical for a Chief Information Security Officer (CISO) to take the lead on cybersecurity initiatives, it’s imperative that non-cyber executives visibly engage with cybersecurity strategy. Executives should lead by example, setting the tone for genuine, company-wide alignment evaluating cybersecurity needs as a core business value. In meetings and communications with staff, leaders need to talk regularly about key cybersecurity issues and initiatives. They affect everyone in the organization, and everyone in the organization can help improve cyber and information security.

Education and awareness

Cybersecurity threats target everyone, not just top-level executives. All employees need to be equipped with the knowledge and tools to recognize potential threats, understand best practices, and know how to respond effectively in the event of a security incident. This requires more than an annual course. Employees should be included in regular training, workshops, and updates on policies and emerging threats. Every individual should feel accountable for safeguarding the organization against threats. By fostering a sense of collective responsibility, cybersecurity remains a priority rather than an afterthought.

Empowering Employees

Celebrating successes and learning from failures is integral to nurturing a positive cybersecurity culture. Recognizing and rewarding employees for active engagement such as reporting suspicious activity or providing informative insights to cybersecurity policies reinforces positive behaviors and motivates others to follow suit. However, it is equally important to identify areas of improvement. Incorporating a ‘no blame’ position provides an opportunity to reflect on the root cause of an incident and implement corrective measures to prevent incidents in the future. Organizations must recognize that practicing cybersecurity is a work in progress and mistakes can happen. By acknowledging this, organizations foster trust amongst employees encouraging them to ask questions, report suspicious activity early, speak up about their mistakes, and provide feedback on the organization’s cybersecurity program. Embracing open communication increases proactive cybersecurity engagement and reduces the response and remediation time needed in the event of a cyber incident.

Reporting and Evaluation

Organizations should evaluate their cybersecurity activities and their cybersecurity maturity. These evaluations must focus on cybersecurity culture change for the whole organization as well as individual staff members. It’s important that cybersecurity culture goals be specific, time-defined targets, as this facilitates creating metrics and helps leaders and employees stay on track. The assessment can start with

• Role descriptions
• Policy assessments
• Interviews, including individual employees, focus groups, C-suite executives, and HR
• Reviewing Reports
• Evaluate results of phishing simulations and other scenario-based exercises and e-learning completion rates
• Consider awareness and training materials
• Examine statistics and data from cybersecurity tools

Leadership needs to take what was learned in the cybersecurity assessment to develop strategic objectives for the cybersecurity program. Leaders need to fully understand the value of cybersecurity to the bank, impart cybersecurity culture change to stakeholders, understand the cyber threat landscape, and reinforce the importance of their bank’s security posture in relation to industry peers and standards.

Indicators of Success

Does your leadership team lead by example?
Are they speaking openly and positively about why cybersecurity is important?

Can your organization demonstrate a collaborative approach to cybersecurity?
Are your security policies and processes designed in collaboration with HR and training teams?

Do you have a ‘no blame’ culture? Do employees feel comfortable reporting mistakes?
Does remediation include extra training and a discovery process for mitigating mistakes in the future?

Do your security metrics focus on success rather than failure?