Proven Strategies To Drive Lasting Cyber Cultural Transformation 

As cyber threats intensify in frequency and impact, many enterprises still mistakenly believe that cyber resilience is about investing in fancy tools or attaining multiple compliance seals, paying scant heed to the human factor. They over-invest in technical solutions and lurch from one emerging technology to the other, looking for a cure-all solution to their cybersecurity problems. Such overreliance on technology is a strategic mistake that only creates a false sense of immunity. In fact, any hope that emerging technology will shield enterprises from the misdeeds of cyber crooks is extremely misguided.

These enterprises know that the real work of defending the enterprise from cyber threats takes place within business teams and is underpinned by shared norms and values. This work is carried out by frontline personnel: call center staff handling sensitive customer financial data; healthcare workers managing life-critical patient records; engineers developing internet-connected heart monitoring devices; finance personnel approving high-risk invoices; and so forth. This blog uncovers actionable insights for CISOs to accelerate cyber transformation through cultural change management.

Start From The Top Down

Long-term cultural shifts require senior business executives to role model expected attitudes, beliefs, and practices. The executive leadership team must lead by example and emphatically demonstrate that cybersecurity is essential to the enterprise’s mission and is everyone’s responsibility. When executives demonstrate enthusiasm and commitment to protecting high-value digital assets and upholding customer digital trust, middle and lower-ranking employees will naturally be motivated to adopt concurrent practices.

On the contrary, if leaders pay lip service to cybersecurity, their poor behavior will cascade down through the enterprise exposing it to significant risk.  One CISO we collaborated with spent weeks running mobile device management proof of concept (POC) to containerize confidential data stored on staff’s personal mobile devices. But when top executives vehemently pushed back the idea of having some “monitoring security software” installed on their phones and declined the request to issue company phones to thousands of staff, citing financial constraints, the project was thrust into rough waters.

The rejection left the CISO and their entire team feeling dissed. The CEO’s words that cybersecurity was pivotal to the organization’s long-term success also sounded hollow.

The best form of leadership is through exemplary behavior, not organizational mantras carefully crafted by external copywriters. We have seen cybersecurity cultures flourish when executives volunteer their devices for POC projects, raise concerns if they log into key applications remotely without MFA, ensure their devices are locked down before travelling to high-risk countries, and reject password sharing with personal assistants.

How To Set The Tone At The Top 

Here are three simple yet powerful ways to set a strong tone at the top:

1. Position the CEO as the primary agent for cyber cultural transformation. The CISO must engage the CEO to categorically stress the strategic importance of cyber resilience to the organizational mission during town hall sessions and email communication. The CEO must consistently underscore the importance of cybersecurity and emphasize the role everyone plays while publicly recognizing their cybersecurity heroes. 
2. Work collaboratively with the chief risk officer to integrate cyber risk into the organizational cyber risk profile and have a clearly articulated and board-approved cyber risk appetite. This makes it easy to embed cyber risk into the bloodstream of core business operational processes.
3. Facilitate joint board and executive cyber crisis simulations to clarify key roles and responsibilities, preempt key decisions (e.g., does the organization pay ransom in the event of a debilitating cyber-attack), and educate decision-makers on the implications of cyber risk to the business value chain.
4. Engage a suitably qualified external threat intelligence firm to conduct dark web digital footprinting for key executives. Present the results carefully through one-on-one meetings to arouse their emotions and raise awareness of cyber threats to their lives and the enterprise.
5. Gamify cybersecurity to help leaders understand the mind of a hacker while learning about cyber risks and defenses. 
6. Educate senior management on the importance of a unified message to reject requests that violate the policy, such as disabling security controls on servers, pushing back vital security patches, or engaging with third parties that exhibit deplorable cybersecurity practices. 

Identify High-Risk Communities 

Another critical step is to deliver contextualized messages that emphasize specific threats employees face in their respective roles and provide employees with appropriate guidance on how to detect and thwart those threats. Let’s illustrate this through three examples:

1. Software developers must be adequately trained in secure coding as they are charged with embedding security controls into critical business applications, software developers. Unsecure code will develop functional but vulnerable digital products. The source code that developers produce is an attractive target for cyber-related industrial espionage. As such, it’s extremely valuable for the CISO to focus on upskilling developers with hands-on knowledge to write secure code from the start, minimizing rework and building customer trust.
2. Executive assistants facilitate executive travel and are custodians of high-value corporate credit cards. They have access to executive emails and a considerable volume of market-sensitive information, for example, initial public offering plans, unannounced revisions in financial forecasts, mergers and acquisition strategies, plans to expand into markets, the launch of new products, proposed business division spin-offs or proposed changes in leadership teams, etcetera. Furthermore, an executive assistant can act within their boss’s delegation of authority, approving high-value payments on their behalf.  The CISO must develop short and sharp training to educate high-profile executive assistants on secure authentication, handling highly confidential information, and how to thwart payment fraud.
3. Systems and database administrators are guardians of an enterprise’s digital environment. These teams are charged with patching critical systems, hardening the digital environment, and administering user access across high-value systems. Consequently, mistakes or human error by systems administrators can leave the network exposed to critical vulnerabilities. Also, the privileged nature of their access makes systems administrators a lucrative target for threat actors. So, instead of numbing their brains with ancient compliance training, the cybersecurity team must educate this group on privileged access management, securing root access, secure handling of confidential data, and hardening systems.

Segmenting employees according to their risk profiles has three significant benefits: 

1. Focused Training. Spend more resources on training employees exposed to higher levels of cyber risk, as determined by the sensitivity of the data they handle, the consequences of human error in respective roles, and the attractiveness of related tasks to cyber criminals. Risk-based cybersecurity investment is a core tenet of a cyber resilient enterprise. 
2. Increased Relevance Of Messaging. Custom cybersecurity messages stick when compared to generic guidance. For instance, citing case studies where hackers penetrated core banking systems by exploiting unpatched servers with a lack of multi-factor authentication will resonate with systems administrators. On the other hand, finance staff will relate more to cases where scammers tricked a Chief Financial Officer at a similar enterprise into wiring millions of dollars to offshore accounts. 
3. Two-Way Open Communication Channels. Facilitating closed-door sessions with specific groups promotes transparent conversations. Employees can openly ask questions without fear of supervisor backlash. For instance, it’s easier to advise payments staff to challenge payment requests that violate established processes in the absence of senior leaders who often bypass procedures and send payment instructions via short message service or text messages. 

Ask Important Questions

To develop a cyber resilient culture, first, recognize that behavior change requires both tactical and strategic initiatives. Consider the following: 

1. Have you created a compelling shared sense of purpose that motivates everyone, from frontline staff to the board, to go beyond the call of duty to protect the organization from cyber risk?
2. Does the organization have antiquated compliance-based training that can be cost-effectively replaced with highly engaging, relevant and easy-to-consume micro-learning modules?
3. Is there a clear understanding of the major threats the organization faces, as well as who the high-risk segments are?
4. Are there other existing programs and functions that can be integrated? 
5. What are the metrics that the senior management and board will appreciate and follow? 

The steps below answer these questions and show how you can develop a program that works in a tactical and strategic way.

Tactical 

• Identify top threats and security risks from external events and intel from security teams. 
• Identify target groups who are high-risk users. Consider various factors like roles, types of personalities, beliefs, work dynamics, skills, visibility, and values. The challenge of cultural change is that every individual is different. There is no one-size-fits-all solution. 
• Determine available channels that can be used to cascade cyber insights to staff and contractors.
• Identify credible threat intelligence sources to keep abreast with changing threat actor tactics and adapt your learning program accordingly.
• Identify your advocates, influencers, challengers, and end-users and design the program using the feedback from these groups.
• Be prepared to respond to current news. If your peer organization has been hacked, proactively communicate to the executive team what you know, whether you are exposed to the same vulnerabilities, and the immediate steps you’re taking to understand the matter and minimize risk.

Strategic 

• Establish program mission, goals, and support initiatives and align these to the broader mission.
• Determine metrics and targets of key risk indicators, starting with data you already have.
• Build a mature and strong partnership with HR and communication teams. They have experience and resources in communicating and engaging creatively that will give you quick momentum and get their buy-in.
• Create an ambassador program to scale your impact and reinforce business-technology collaboration.
• Build board awareness with quarterly updates on threats and what they mean for the organization. 
• Put yourself in the shoes of your staff and customers. Understand their processes and experiences to determine where the security value and challenges lie. Shift the discussion from compliance to business enablement, which may involve a combination of education and redesign of the security approach. 

Culture doesn’t change overnight. Change management programs require a continuous and coordinated effort to increase human-focused cyber resilience. In fact, it can take at least 12 months to achieve any observable change. Once your employees understand the consequences of their actions or inactions and develop a cyber risk mindset, they will apply cyber resilient practices at work and at home and become part of the solution. When done right, cyber cultural transformation gives you the highest return from security investments.