You’ve shaped your organization’s cyber strategy. You regularly communicate cyber issues and opportunities to your board and executive leadership. Moreover, they listen to what you say and trust your opinion. You’re now in an ideal position to shape a cyber-friendly culture throughout your organization.
Yes, your plate may already be filling up. But it’s time and effort well spent – trust us. Activities that strengthen cyberculture are force multipliers for proactive protection and prevention. For example, employees will enthusiastically update their passwords regularly, and it’s not just changing “password” to “1234.” They’ll value the self-led online cyber training courses you send them. And they’ll know not to click on that phishing email that could bring your company down.
Moreover, building a robust cyberculture is your job as a CISO. You’ve long realised your role is no longer solely about technical architecture and breach response. Today’s CISOs are also leaders and advisors in governance, risk, compliance (GRC) and business growth. And just as your responsibilities have increased with board communications, cultural leadership is the next logical step in your expanding and evolving role.
Here are some strategic tips to shape organizational cyberculture.
Keep the board in the loop — from cyber awareness to training.
Cultural change starts at the top. Ever notice how the things discussed in board meetings and mentioned in the proxy statement magically and quickly appear in directives, memos, KPIs and goals? When the C-Suite speaks, VPs pay attention — which means regional managers pay attention, which means these issues have cascaded down to every employee at every level.
Shaping organizational cyberculture works the same way. When your priorities become board priorities, these activities have a far better chance of earning your organization’s time, resources, enforcement and action.
To strengthen cyberculture, the top things you’ll need to put on the board’s radar include:
- Employee training: How is it being done, and for which skills and threats? What have the completion rates and feedback been so far?
- Tools and tactics: What software are you using to safeguard data, protect IP and guard your perimeters (including third-party networks and edge computing)? How are you handling access control and physical security? Is it time to shift to new approaches or technologies?
- Testing: How well have all of the above measures been working? Share snapshots of your testing efforts, and include penetration testing by an outside firm.
- Your cyber team: Who’s involved in your organization’s cybersecurity efforts, from internal cyber experts to external services in areas like monitoring? Is it time to review, augment or revisit these investments?
Communicate cybersecurity’s importance across your organization.
“I don’t work in IT — why should I care?”
“Cyber attacks happen constantly, and the world keeps running.”
To engage in your cybersecurity efforts, employees in all roles need to understand what’s in it. Here’s where the communication skills you’ve honed with the board are helpful.
In succinct, jargon-free terms, explain to them:
- How much business would your company lose by the day, hour or even minute if a cyber-attack took your website down?
- How much a data breach would cost your organization — in terms of fines and lost customer trust?
- How a rogue employee’s social media account could wreak havoc for your organization.
- Use statistics and examples. Tell a story. Leverage the tools your organization already uses for internal and board communications — think of email newsletters, Slack channels, and employee intranets. Dashboards, visualizations, and customizable reporting templates all help to make your message resonate across varying levels of education and tech savviness.
Throughout, communicate the business opportunity of solid cybersecurity practices and the risk of not having them. Customers will likely do business via your apps and online storefronts when they know their data and transactions are protected. And when your company holds third-party vendors to its stringent cybersecurity standards, the resulting resilient networks and robust supply chains keep products and services moving in a reliable, timely fashion.
A robust cybersecurity culture also brings several advantages from a governance, risk and compliance management standpoint. In a poll conducted during the “Future of GRC” webinar, nearly half of the participants reported that they communicate risk, audit and compliance (RAC) issues separately, rather than jointly, to the board — a missed opportunity for collaborative discovery—moreover, data privacy factors into ESG disclosures, audits and regulatory requirements. So, the more your team shares its progress in working towards your organization’s GRC, RAC and ESG goals, the more confident and effective you’ll all be at keeping up with these obligations.
All of this adds up to a competitive, sustainable company and more economic security and opportunity for everyone. For individual employees, this value proposition suddenly casts onerous practices like password management and online training videos in a new light. And for leaders in other departments across the organization — like governance, risk and compliance — you’ll show that the cyber experts are team players that recognize their role in the organization’s success.
Show how robust cyberculture reduces risk.
Finally, make employees in your department and across your organization feel empowered. Your organization is doing something about cyber risk, and while it’s not perfect, it’s working. Be sure to highlight your latest activities for risk management and remediation and how they’ve been going:
- Detecting and addressing potential vulnerabilities and incidents
- Determining probable exposure and loss
- Reducing this exposure and potential damage
Share highlights of both your challenges and achievements. Wherever possible, use visuals and keep your messaging simple. While your colleagues in data analytics will appreciate an elegant Monte Carlo analysis, others across the firm might find this specialized detail way over their heads and tune out.
In conclusion, cybersecurity is a team sport. You, the CISO, and your team must align yourself with the board, your colleagues in GRC and employees across the organization to shape organizational cyberculture and bring those values into the broader organization.
Contact us today to book a demo.