How CISOs Can Build a Cybersecurity-First Culture

Creating an enterprise security-first culture is one of the most impactful things a CISO can do to protect their organization. Sure, high-tech solutions and fancy tools are important, but they are largely ineffective when staff are unable or unwilling to play their part in preventing, identifying, and reporting security incidents.

However, in the quest to develop a positive cybersecurity culture, many Chief Information Security Officers (CISOs) inadvertently create a toxic environment. This is understandable: after all, when employees make a mistake that results in a security breach, it’s not their head on the line; it’s the CISO’s head on the line, and stress can make people do strange things.

However, enterprises with toxic cybersecurity cultures, aside from being a depressing and anxiety-inducing place to work, are more vulnerable to threats than those with positive cultures. As a CISO, it’s your job to ensure that your enterprise is one of the latter. Here are some tips for achieving that.

Identifying a Problematic Cybersecurity Culture

Instead of definitively labeling a security culture as “toxic,” assessing whether your organization prioritizes security is more constructive. A security-first organization focuses on learning, improvement, and positive reinforcement, not blame or punishment. If your organization possesses any of the following traits, you likely have a problematic security culture:

• A Tendency to Punish Simple Mistakes: Being quick to punish simple mistakes, like failing a phishing simulation or accidentally misconfiguring a system, can create a culture of fear.
• Poor Visibility and Communication: Organizations with problematic security cultures typically lack transparency and collaboration between security teams and other departments.
• One-Time Security Training: Too many enterprises view security awareness training as a one-time, tick-box exercise. This approach rarely equips staff with the skills necessary to participate in a security-first culture.

These traits can seriously impact an enterprise’s overall security posture. Again, you could have all the fancy tech in the world, but you’re inherently vulnerable if your staff can’t or won’t contribute to ongoing security efforts.

What are the Consequences of a Problematic Cybersecurity Culture?

The consequences of this kind of culture can be severe, impacting security and the well-being of the wider business. Punishing staff for simple mistakes and, as noted, creating a culture of fear can actually discourage staff from reporting incidents or even prompt them to hide their mistakes for fear of reprisal. As you surely know, it’s far, far better to know about a security incident than to have it swept under the rug.

Poor visibility and communication can also be damaging. If security teams, especially senior leadership, fail to interact with other departments, employees are often unaware of how to report incidents or hesitate to do so. This can lead to overlooked issues and, ultimately, missed threats. Establishing and communicating clear security policies, accountability structures, and a willingness to listen to employee concerns is crucial.

Security will never be most employees’ priority; unfortunately, there’s not much you can do about that. You can, however, keep it in their consciousness – but not if you rely on one-time security training. The fact is, if staff only take part in security awareness training, say, once a year, they’re going to forget what they learned almost immediately. This lack of knowledge dramatically increases the risk of a breach resulting from human error.

So, What Can You Do About It?

This blog has been pretty negative so far, and for good reason. But what steps can CISOs take to cultivate a new, positive culture? Let’s take a look.

The first step in addressing a problematic security culture is to put on sneakers and tread the halls. Start by speaking with the CEO and Board of Directors – getting them on your side will be invaluable when working with other staff. Sure, you’re part of the C-suite, but many in your organization won’t see you as such – having the heft of the CEO and board behind you will go a long way to helping you make your case.

Then, you need to work with senior leadership. The key phrase here is work with – barging into department heads’ offices and demanding they start taking security seriously isn’t going to get you anywhere, even if you have the CEO on your side. Open a two-way dialogue with senior staff to discuss their perception of security, present the risks facing your organization, and present a genuine business case for security. It’s also helpful to offer department-specific support.

The security team should be encouraged to engage with the broader business. We’re all aware of how staff generally view IT and, hence, security teams – think the IT Crowd, the IT guy from Jurassic Park, and so on – and, while we know this stereotype is untrue and unfair, it’s still your responsibility to change that perception. Staff must feel they can approach and work alongside security teams – just like any other department.

But, most importantly, it’s crucial to recognize that building a positive security culture is a continuous process. Employees will come and go, interest will wane, and new attack techniques will arise. An ongoing program is required to prevent the recurrence of destructive behaviors and reflect a changing threat landscape.

How Fortra Can Help

Fortra’s Security Awareness Training offering, Terranova Security, can help you build a positive cybersecurity culture. It teaches employees to detect and report cyber threats with engaging, effective cyber security awareness training that turns your users into a strong line of defense against cyberattacks. 

Book a demo today to find out more.