Cyber culture starts with the CISO. Here’s how to lead the way
You’ve shaped your organization’s cyber strategy. You’re regularly communicating cyber issues and opportunities to your board and executive leadership. What’s more, they’re listening to what you have to say and trust your opinion. You’re now in an ideal position to shape a cyber-friendly culture throughout your organization.
Yes, your plate may already be filling up. But it’s time and effort well spent. Activities that strengthen cyber culture are force multipliers for proactive protection and prevention. For example, employees will enthusiastically update their passwords on a regular basis — and it’s not just changing “password” to “1234.” They’ll value, and actually take, the self-led online cyber training courses you send them. And they’ll know not to click on that phishing email that could bring your company down.
Moreover, building a strong cyber culture is your job as a CISO. You’ve long realized that your role is no longer solely about technical architecture and breach response. Today’s CISOs are also leaders and advisors in governance, risk, compliance (GRC) and business growth/operational effectiveness. And just as your responsibilities have increased with board and executive leadership communications, cultural leadership is the next logical step in your expanding and evolving role.
Here are some strategic tips to make the mission more manageable.
Keep the board in the loop — from cyber awareness to training
Cultural change starts at the top. Ever notice how the things talked about in board meetings and mentioned in the proxy statement magically and quickly appear in directives, memos, KPIs and goals? When the C-suite or executive leadership speaks, VPs and senior managers pay attention — which means regional managers pay attention, which means these issues cascade down to every employee at every level.
Cybersecurity works the same way. When your priorities become board and executive leadership priorities, these activities have a far better chance of earning the time, resources, enforcement and action of your organization.
To strengthen cyber culture, the top things you’ll need to put on the board and leadership team’s radar include:
- Employee training: How is it being done, and for which skills and threats? What have the completion rates and feedback been so far?
- Tools and tactics: What software are you using to safeguard data, protect IP and guard your perimeters (including third-party networks and edge computing)? How are you handling access control and physical security? Is it time to shift to new approaches or technologies?
- Testing: How well have all of the above measures been working? Share snapshots of your testing efforts, and include penetration testing by an outside firm.
- Your cyber team: Who’s involved in your organization’s cybersecurity efforts, from internal cyber experts to external services in areas like monitoring? Is it time to review, augment or revisit these investments?
Communicate cybersecurity’s importance across your organization
“I don’t work in IT — why should I care?”
“Cyberattacks happen all the time and the world keeps running.”
To be engaged in your cybersecurity efforts, employees in all roles need to understand what’s in it for them. Here’s where the communication skills you’ve honed with the board and leadership team come in handy.
In succinct, jargon-free terms, explain to them:
- How much a data breach would cost your organization — in terms of fines and lost customer/stakeholder trust
- How a rogue employee social media account could wreak havoc for your entire organization
- How much business your company would lose by the day, hour or even minute if a cyber attack took your website down
Use statistics and examples. Tell a story. Leverage the tools your organization already uses for internal communications — think of email newsletters, Slack channels and employee intranets. Dashboards, visualizations and customizable reporting templates all help to make your message resonate across varying levels of education and tech savviness.
Throughout, communicate the opportunity of strong cybersecurity practices, along with the risk of not having them. When customers know their data and transactions are protected, they’re more likely to do business via your apps and online storefronts. In the public sector, effective cybersecurity practices demonstrate a commitment to protecting public and stakeholder interests, thereby enhancing citizens' confidence in your institution. And when your organization holds third-party vendors to its own stringent cybersecurity standards, the resulting resilient networks and strong supply chains keep products and services moving in a reliable, timely fashion.
A strong cybersecurity culture brings several advantages from a governance, risk and compliance management standpoint as well. In a poll conducted during the “Future of GRC” webinar, nearly half of participants reported that they communicate risk, audit and compliance (RAC) issues separately, rather than jointly, to the board or executive team — a missed opportunity for collaborative discovery. Moreover, issues like data privacy factor into ESG disclosures, audits and regulatory requirements. So, the more your team shares its progress in working towards your organization’s GRC, RAC and ESG goals, the more confident and effective you’ll all be at keeping up with these obligations.
All of this adds up to a competitive, sustainable company (or a more effective and efficient public sector organization) with more economic security and opportunity for everyone. For individual employees, this value proposition suddenly casts what had been onerous practices like password management and online training videos in a whole new light. And for leaders in other departments across the organization — like governance, risk and compliance — you’ll show that the cyber experts are team players that recognize their role in the organization’s success.
– Kristy Grant-Hart, CEO, Spark Compliance Consulting
Show how a strong cyber culture reduces risk
Finally, make employees in your department and across your organization feel empowered. Your organization is doing something about cyber risk, and while it’s not perfect, it’s working. Be sure to highlight your latest activities for risk management and remediation and how they’ve been going:
- Detecting and addressing potential vulnerabilities and incidents
- Determining probable exposure and loss
- Reducing this exposure and potential damage
Share highlights of both your challenges and achievements. Wherever possible, use visuals and keep your messaging simple. While your colleagues in data analytics will appreciate an elegant Monte Carlo analysis, others across the firm might find this specialized detail way over their heads and subsequently tune out.
Cybersecurity is a team sport. You, the CISO, and your team need to align yourself with the board, your colleagues in GRC, and employees across the organization to make bring cyber culture and values into the broader organization.