As one of the first researchers and consultants on culture, beginning in 1978, I fully understand how important culture is to customer satisfaction, employee engagement, cyber security and overall business performance. (see Culture Rules) Yes, culture matters; big time!
It is now well understood among business leaders that culture can be either an enabler or barrier to such important business outcomes as safety, cyber security, customer loyalty and repeat purchasing, innovation, conduct risk, productivity, diversity and inclusion, and M&A integration, among others. And the company that does not proactively manage their culture is doomed to what I call “cultural drift” as more and more employees join the organization, bringing their old culture habits with them. Before long, a unified and aligned culture becomes a fractionated camp of subcultures, competing more than cooperating.
Yes, corporate culture is a critical element in business success. However, in the drive to bring culture into the mainstream of business, I believe it is given too much attention. Culture is important, but it is not everything to the sustainability of a business enterprise. Culture exists as one important element in the company business model. It is important, but not sufficient. The truth is, a great culture cannot make up for lack of funding or a poor competitive strategy.
They had a great culture, everyone was happy; and they happily went out of business!
Culture is important, but it comes last, not first.
Let me explain. A sustainable business is essentially the alignment between three critical business subsystems: Strategy, Structure and Culture. A clear strategy lets everyone know where we are going. Clarity of structure means everyone knows who does what and whom to talk to for information. Culture provides clear understanding of how to behave, with customers, suppliers and peers, in getting the job done.
All three must be in alignment to create a successful organization. And they are interdependent, each reinforcing the other.
An effective organization starts with an effective competitive strategy and a profitable business model. In many cases this rests on an understanding of Product-Market fit, and customer insight.
But then it must have a structure is designed to help deliver the strategy. If the structure is out of alignment, the company will find it difficult to deliver on its strategic objectives.
A good example is the fad of Matrix Management in the aerospace and defense industries in the 1990s. Essentially matrix management was a cost saving structure to eliminate redundant roles and move expertise between various programs as required, rather than fully staffing each program. Good idea for reducing headcount, except it was not designed for effective program delivery and ultimately led to program delays and cost overruns.
And last, but not at all least, the culture should be designed to help deliver the strategy within the structure. A key question to ask is: What day to day behaviours do we need in this company to ensure the delivery of our strategic objectives? And not just people behaviours. You should also ask what policies and work processes do we need to support strategy delivery? These are some of the hidden culture drivers that don’t show up when most consultants talk about culture.
Answers to these culture questions will go a long way in building an effective and aligned corporate culture that is an enabler for effective strategy realization.
What is the right corporate culture? The one that best supports the business strategy!
Alliances and partnerships produce stability when they reflect realities and interests. ~ Stephen Kinzer
The old expression of “walk a mile in my shoes” is a fitting analogy for building a cyber safe organization. While there is no 100% guarantee of cyber security, the risk of cyber breaches can be greatly reduced when there is a good working relationship between the CISO, other department heads, and the Board.
A recent GSISS survey of the relationship between who the Chief Security Officer reports to and financial losses shows the importance of the Board – CSO/CISO relationship.
In the disruptive global business
world of today and with risks stemming from individual hackers, criminal gangs
and nation-state bad actors, the relationship between the CISO and the Board
becomes increasingly important.
So, what are the elements that
make up an effective CISO – Board partnership?
Both the CISO and the Board have
significant accountabilities in building a partnership that helps reduce and
Role of the CISO
Seek to understand first, and then you will be understood.
Focus on the Business Issues: First and foremost, the CISO must understand the business issues that are important to the company and the board and are most impacted by cyber security. A good board will accept that their CISO has a grasp of the technical issues and are less interested in the mechanics of cyber security than how cyber impacts the business, especially financial and operational performance, brand value and investor confidence. Presentations to the Board should always start with the strategic and business objectives of the company and show how cyber security is critical to successful strategy execution.
Integrate Your Cyber Security Plan with the Company Strategic Plan: Cyber security should be one of the strategic pillars of the company strategic plan and the CISO should work closely with the Board in putting in place those cyber security initiatives that support the overall strategic objectives of the company. The CISO who develops his/her plans and budgets independently of the overall company strategy will find it both support and funding difficult.
Link Security to Business Metrics: Your team should work hard to present ROI information. For example, you can show the estimated amount saved when an attack is thwarted, or the ROI of quicker breach containment. When asking for additional support or funding, start with the risk of potential losses and end with an estimate of ROI.
Provide Forward-looking Insights: Most of the information a Board receives is nearly 2 quarters old. To support the Board and the company, the CISO’s team should work hard to present forward-looking insights, indicating both upcoming opportunities for greater security as well as upcoming potential threats. The use of extrapolations and predictive analytics are very useful in helping Boards plan and make better recommendations.
Educate the Board: Most Boards have one or two members with good technical backgrounds, but the majority have little expertise in cyber issues, but should be eager and open to learn. Don’t try to educate them all at once, but every presentation and meeting is an opportunity to add more to their knowledge about the importance of Cyber Security.
Provide the Board with Easy-to-Understand Oversight: Assuming the CISO has done a good job of educating the Board on Cyber Security, the next important step is to provide an easy to understand Cyber Security Oversight dashboard. We suggest the use of visuals and graphics as much as possible so that a quick scan can provide important insights into the current state of cyber security. We also strongly suggest that this oversight be forward looking and state future potential risks, again with ROI and financial and strategic implications.
Give members of your team Board exposure: The entire Cyber Security team is critical to protecting the organization and it is important for the Board to have exposure to members of this team and to understand their dedication and commitment to keeping the organization safe. This is also an opportunity for members of the Cyber team to develop their skills at presentations and responding to questions.
Bring Other Functions onto a Cyber Safety Team: Cyber security is a team sport and we strongly believe it is the responsibility of the CISO to integrate all other company departments and functions into understanding their individual and collective roles in cyber safety. In many organizations, poor cross-functional cooperation and communication is a significant cyber risk.
Ask: How Can I Better Support You? At the end of every CISO presentation to the Board, it is useful to ask the Board what else they need and how the Cyber Security team can better support them. This often elicits important insights that otherwise might go undiscussed.
Role of the Board
A One-Way Partnership Doesn’t Work
Study the Board Pac: First and foremost, every member of the Board should spend quality time studying the Board Pac well before the upcoming meeting and prepare their list of questions and concerns. Two things often stand in the way of good preparation for a Board meeting. The first is a late pack that is sent our just a few days before the meeting. Board members should demand that the company deliver the upcoming Board pack at least 10 days to 2 weeks prior to the meeting.
The second issue impacting
preparation is the size of the Board pack.
There is no reason for a Board pack to be 300 pages long, yet that is
often the case. Large, unreadable and undigestible Board packs often contain
boiler plate elements from previous Board packs and rarely summarize the
information, believing that completeness is better. The fact is, no Board
member will read a 300 page pack, especially one sent our just a few days
before. The Board Chairman should demand that management produce a concise and
easily understood pack so the Board can do its job; to openly discuss and
provide guidance on important issues.
Do your homework: In many Board meetings, when the topic of Cyber Security comes around, only a few of the technically savvy Board members engage in the discussion. Much of this silence is due to lack of understanding the basics of cyber security. We strongly suggest that every Board member read the overview book, Cyber Security for Dummies or an equivalent. Cyber security impacts everyone and the modern Board member should, at the very least, understand the basics.
Demand An Enterprise Cyber Security Approach: To fully protect the company and mitigate risk, the Board should demand that all key functional heads participate fully with the CISO in forming an Enterprise Cyber Safety Committee. Cyber security is too important for one function to shoulder all the accountability. We suggest that one Board member be an ad-hoc member of this committee and promote the overall enterprise view of risk and security. All departments must work together to promote a cyber safe culture.
Ask: How Can The Board Better Support You? While a good Board discussion involves many questions concerning cyber security and the future risks to the company, it is always a good practice to end with asking the CISO what help they need from the Board. Again, this question often opens up fruitful lines of discussion.
Strengthening the working
relationship between the Board and the CISO is in everyone’s best interest and
since risk mitigation is a key role of the Board, we encourage Board Chairman
to make this partnership a priority.
For More Information on the role of the Board in establishing a cyber safe culture, contact:
John R Childress, email: firstname.lastname@example.org
“It’s like flying with a dead elephant on our back.” ~ James Lovell, Apollo 13
Astronauts are a highly select
group of engineers, scientists and pilots, and also some of the most rigorously
trained of all professionals. For months
and months they run through scenario drills for every possible
contingency. They are smart, proficient
and motivated to solve any problem they encounter. And they should be since they are thousands
of miles away from earth and need to rely on their sophisticated space capsule,
their training, ground support and each other.
It is safe to say they “want to be safe while completing the mission”.
The quote, “Houston, we’ve had a
problem here” came from Astronaut John Swigert when the crew of Apollo 13
announced to Houston Ground Control the discovery of the explosion that
crippled their spacecraft. Something in the complex system of ther Apollo Command
Module went wrong and the three Apollo astronauts were in serious trouble. Astronauts
rely on a sophisticated system of technology and machinery to keep them safe.
But astronauts are not the only
ones who want to be safe. I believe that
nearly every individual inside our organizations today wants to be “cyber
safe”. Only a very small fraction of
employees actively seek to create a negative cyber incident. And yet 80% of all
cyber breaches involve employee actions and mistakes.
If we start from the assumption
that “employees want to be cyber safe, but they often just don’t know how”, then
we are dealing with an organizational system issue, not a behavior problem. And a good place to look for potential risks
is the cyber security culture.
Culture As A Business System
A bad system will defeat a good person every time. – W. Edwards Deming
The traditionally accepted
definition of culture tends to focus on habitual behaviours, shared beliefs and
collective values among employees that result in either effective or
ineffective behavior towards work, management, suppliers and customers. Employee
behavior impacts business results. But a
much more important question is: what in the organizational system influences
employees to behave in certain ways, and how are employee behaviors sustained
and reinforced? Answers to these
questions can give business leaders significant insight into the causal factors
creating a specific corporate culture and the potential business risks inherent
in the current culture.
We believe habitual employee
behaviors, attitudes and beliefs are an outcome of corporate culture, and not
the culture itself. By defining culture as a business system it is possible to
identify a network of organizational drivers that directly or indirectly
influence and sustain employee behavior.
In simple terms, the system influences employee behavior, which in turn drives
If there is a concern about cyber
security effectiveness, then corrective insights can be gained by understanding
and mapping the numerous drivers that make up the cyber security culture.
What are the cultural factors
inside the company that influence cyber security? Our research with clients show that there are
a number of company processes, policies, management capabilities and social network
elements that are linked together into the cyber security culture system. Some
of these drivers are healthy and promote positive cyber awareness and behavior,
while others foster poor or even risky employee behaviors towards cyber
Using systems mapping and a
specific culture algorithm, we can build a visual map of a company’s cyber
security culture using internal company data combined with expert assessments.
Each culture driver can then be color coded based on whether it is an enabler
or blocker of effective cyber security, thus giving the leadership team the
ability to locate current and potential risks in the culture. With enough
internal data on drivers and business performance it is even possible to link
culture to business results.
Here is an example of a cyber
security culture map from our work with the CISO and his management team of a
large European-based International Retail Bank. As you can see, several culture
drivers show up as orange or red, indicating they act as barriers to effective
Culture Change Is Really a System Change
Change the system to change the outcomes.
Fortunately for the astronauts of
Apollo 13, with the help of Houston Ground Control staff they were able to
contain the damage and land safely back on earth. But for the safety of future manned space
flights, it was critical for NASA scientists and engineers to discover what in
the design and construction of the Apollo command module contributed to the
explosion on the Apollo 13. It turned
out that it was not just one faulty part, but a series of small errors and
miscommunications to equipment manufactures several years before which when
networked together as the Command Module oxygen tank system, resulted in the
Next time your organization
reports a cyber security problem, look deeper to locate those factors in the
cyber security culture system that may be the ultimate causal factors. A cyber
failure is an excellent opportunity to discover the real causal factors.
For some time,
I thought Apollo 13 was a failure. I was disappointed I didn’t get to land on
the moon. But actually, it turned out to be the best thing that could have
happened. – Jim Lovell
For a discussion on cyber
security culture inside your organization and how to map culture drivers,
“No organization, small or large, can sustain success in the long run without energized employees who believe in the mission and understand how to achieve it. Sustainable success and reputation starts and ends with the Board!”
There are two kinds of Boards.
The unprepared are often caught napping, while prepared Boards are proactive and forward looking. The unprepared Board faces the task of finding a new CEO without a succession plan and must rely on a stream of executive recruiters pushing the same set of re-tread candidates. Early on the prepared board set in motion a development plan for internal candidates as well as linking their strategic plan with the leadership capabilities required for the next several years. The unprepared board is content with rear-view mirror data that is often 2 quarters old. The prepared board constantly looks forward for new insights into economic trends, strategic shifts, supply chain sustainability and the potential risks in their corporate culture.
And corporate culture oversight is now becoming part of the regulation regime in the UK. And in the US, several large institutional investors are also pressing for Board oversight of culture. Currently few companies bring culture oversight into their Board meetings, and even those few that do are let down by the traditional approaches to corporate culture metrics and oversight.
Culture metrics are almost all derived from Employee Engagement surveys, which offer a myriad of scores and industry norms on how employees feel about company benefits, working conditions, their supervisors and management, and of course the overall culture. The question of “would you recommend your friends and family to work here” is an anchor metric for many culture assessments. According to the consultants who conduct and analyse this data, there is a strong correlation between employee engagement and company performance.
But are Employee Engagement surveys a significant proxy for corporate culture? I’m not so sure. Employee engagement is important, but not sufficient to understand the impact of culture on business performance.
Start with Why
Employee engagement surveys capture how people feel about work, but not why? It does make good sense that if an employee is not happy with their work or supervisors or co-workers then they will probably give less than 100% effort, and certainly not go “the extra mile” to improve things. But why are they unproductive and not engaged?
Those who know why will always win over those who just know how!
I heard this statement many years ago and it has guided my thinking ever since about the way corporate culture really works. Most culture assessments and employee engagement surveys focus on employee behavior and actions, and even ask about their beliefs concerning work and the company. But in my assessment, these are outcomes of the culture, not the culture itself. In other words, employees may not be fully engaged, but what specifically in the culture is influencing this undesirable outcome? Our experience shows that it is not just one element, but a combination of several.
Corporate culture should be more accurately thought of as a system of organizational factors, or levers, that interact in a networked system to influence employee behavior and business results. In my recent book, Culture Rules, I define culture as a business system and identify the 10 core principles that govern corporate culture.
By identifying and using internal company data and information, as well as survey data from management, leadership and employees, it is possible to create a visual system map of the current culture drivers that can easily point out the weaknesses, risks and blockages to improved business performance. Yes, one of those is employee engagement, but there are often numerous other culture drivers, such as hiring profiles, on-boarding, recognition systems, quality of management, leadership engagement, compensation policies, meeting structure, peer pressure, cumbersome work processes, IT system outages and others. All of which can be measured and mapped.
Culture Risk Mapping and Board Oversight
Below is a visual culture map for the factors that drive an important business outcome and an important Board oversight; Safety Culture.
As you can see, there are multiple drivers in this safety culture system, some of which show up as enablers (green) and others as risks (red). While employee engagement is one of the factors, others such as Peer Pressure, Hiring Profiles and Safety Management Processes don’t normally show up in a traditional culture assessment or employee engagement survey. The data analytics used to generate such a culture system map comes from internal company event data as well as reviews of policies, emails and other unstructured data, all of which can be used to build culture metrics within the overall system. In addition, it is important to link the safety culture to safety business metrics, and not just track the overall culture score.
We have also developed other culture system maps for important business issues that are heavily impacted by corporate culture, such as cyber security, customer satisfaction, conduct risk, innovation, leadership, employee engagement and strategy execution.
Besides having a visual map, the Board should also have access to a Culture Oversight Dashboard that summarizes the overall trends, thus providing oversight on how company management is working to improve low performing elements in the culture and how those improvements are impacting business outcomes.
CulturSys, Inc, is pioneering this Culture-as-a-Business-SystemÔ approach using company data and analytics to provide Boards and management with better tools for understanding, oversight and proactively managing corporate culture to improve business performance. We believe board oversight of corporate culture should be proactive and a key part of the responsibility an effective Board of Directors.
“The whole is greater than the sum of its parts.” ~Aristotle
Even in the 4th Century BC, it was understood that functions within an organization working together for a common goal produced better results than working independently. Somewhere between Aristotle and the modern MBA program this lesson seems to have been lost as functional excellence became a key criteria for bonuses and promotions. As a result of the recent movement towards digital transformation and organizational agility, the importance of enterprise integration is only now being rediscovered. Yet most organizations are hardwired for functional thinking, with budgets and recognition systems as heavy influencers of silo behavior.
Take the example of the Three Mile Island Nuclear Accident, where strong silo behavior and a focus on functional excellence led to poor information flow between departments that needed to work together. The result? Lack of communications, internal competition and poor trust compounded a technical fault into a major accident. In their excellent book, Meltdown: Why Our Systems Fail and What We Can Do About It, Chris Clearfield and Andras Tilcsik clearly point out how in complex systems small mistakes and communication blockages can lead to catastrophic results.
Today’s businesses and organizations are becoming increasingly complex. And the rush towards integrating digital technologies into every aspect of the organization dramatically increases that complexity. Supply chains have become massively complex and often harbour significant business risks. And in many cases these critical supply chain risks are invisible to management. And manufacturing is no longer isolated from marketing and sales, since the customer experience is becoming a significant competitive advantage in many industries.
We are working in ever increasingly complex organizations and it seems that the only person who cuts across the silos and looks after the “big picture” is the CEO. But with the increasing external demands on the time of the CEO, efforts at enterprise integration and getting multiple functions to work together for a common enterprise objective often take a back seat.
Organizational silos are a significant business risk!
An Important Role for the CSIO
The growing tsunami of attacks from cyber criminals and nation-state bad actors is seen as one of the top business risks by business leaders. A single breach could wipe billions off market value, cost millions in loss of downtime and system recovery, plus significantly damage both customer and employee trust in the company.
While cyber security lies squarely in the job description of the cyber security department, seeing cyber security as a functional responsibility is both naive and extremely risky. With 80% of cyber breaches the result of employee mistakes and behaviour, cyber safety becomes an enterprise issue, not a functional issue. And all employees, from the C-suite to the night cleaning crew, and from the Call Center to the outsourced staff are important links to cyber security.
At a recent workshop on cyber security culture and risk mapping for a large European based global bank, it quickly became apparent that cyber safety was an enterprise issue. The culture and risk mapping exercise revealed several key departments that have a significant impact on overall cyber safety, but had few significant interactions with the Cyber Security department. These were Physical Security, Information Technology, and Human Resources. Each have their own functional objectives, budgets and challenges, yet in many ways all have a direct and significant impact on cyber security inside the organization. And the C-suite also stood out as critical to overall cyber security; not just for their contribution to “tone at the top”, but for the significant number of cyber security exceptions generated by this group.
Silo focus and lack of overall alignment on key enterprise objectives often lead to sub-optimization, and hidden business risks.
In our experience, the CISO is in the perfect position to be the catalyst for organizational alignment since cyber security risks reside in every function and every individual employee action. The CISO is one of the few in an organization that has an enterprise-wide perspective on security risks and could effectively act as the enterprise integrator, helping to mitigate current and potential cyber risks to the organization. A breach may happen in one area or from one action, but its impact is enterprise wide and effects everyone. While market risk or operational risk are impacted by one or two functions, cyber security risk is inherent in every function and every employee.
Currently the role and responsibilities of the CISO is not well defined, and there is much discussion as to where the CISO should report and the breadth of their remit. Those companies that fully understand the enterprise and business risks of a cyber breach tend to have the CISO sitting on the senior leadership team. But in most cases, the cyber security function is still seen as a secondary technology cost center reporting to the CIO or in some cases the Chief Risk Officer, CFO COO or even the Legal Counsel. According to a study by Georgia Tech Information Security Center, 40 percent of CISOs reported to the CIO or CTO. And the Global State of Information Security Survey 2018 estimated the financial losses as a result of reporting relationship of the Chief Security Officer.
We believe that seeing cyber security as a business issue and not a technology issue is key to putting in the proper organizational structure and reporting relationships to allow the CISO to act as an enterprise integrator.
It is impossible to determine when or where many business risks come from, but cyber attacks are continuous, growing and a serious business risk.
Warren Buffett famously remarked: “Risk is not knowing what you are doing.” Simple yet profound. Many a time I have fallen victim to an overinflated sense of my own abilities and suffered the consequences, sometimes to my own ego and sometimes to my pocketbook.
After studying and advising on corporate culture for the past 35+ years I have developed a twist on Warren’s sage quote. Mine goes like this:
Risk is also not knowing what your culture is doing.
We know by now that corporate culture matters and plays a significant part in business successes, failures and yes, risks. Compare the stellar performance record of Southwest Airlines to the hubris and fraud at Volkswagen or the fall of the once revered Wells Fargo bank. Corporate culture is either a performance enabler or a business risk.
And corporate culture has a huge role to play in cyber security.
Traffic Lights and Roundabouts
I learned to drive in the US where stop signs and later traffic lights were the norm. I failed my first driving test at 16 for not looking both ways at the intersection before proceeding through. Now when I drive it is an automatic reflex.
However, for the past 25 years I have lived in the UK, where roundabouts are the norm and traffic lights a more recent addition. My first encounter at a UK roundabout was as a tourist and it was a mess. Not only was I driving on a different side of the road in a rental car with the steering wheel on the other side, but I was totally ignorant of the “rules” related to roundabouts. Needless to say, I was not popular at that particular intersection but thankfully my passengers and I escaped unharmed, as did the other cars, who honked vigorously as if to acknowledge my stupidity.
Both traffic lights and roundabouts have rules and it is easy to understand how an accident could happen when a driver is ignorant of the rules and driving “etiquette”. But what happens when we know the rules? Is there a safety difference between traffic lights and roundabouts? And if so, why? And what the heck has all this got to do with cyber security?
Accountability for road safety
When one looks at data on traffic accident rates for roundabouts and traffic lights, and also stop signs, a startling difference occurs. Here are two sets of graphs that tell a very interesting story.
The facts are clear, roundabouts are much safer in terms of accidents, and particularly fatal accidents than either stop signs or traffic lights. And by studying human behavior, it becomes clear as to why.
Roundabouts work well because each driver takes personal accountability for their own safety and the safety of other cars as well. This shared accountability causes drivers to focus on their driving and the behavior of other drivers, pay attention in all directions and evaluate multiple possible scenarios for remaining safe. Also, the speed of cars in a roundabout is much slower than on the open road.
Driver behavior at stop signs is full of assumptions. If I stop, others will stop as well. Once I stop, it is okay to proceed. All other drivers understand the same rules about stop signs and have the same values of road safety as I have. A lot of assumptions! And they are often false. People run stop signs when in a hurry or when distracted and serious accidents occur.
Traffic lights on the other hand have proven to be extremely hazardous because people rely on the technology for their safety rather than taking personal accountability. Green means Go, Red means Stop and Yellow should mean caution. But when it comes to human behavior, being first, beating the light, zooming through a Yellow, being first off the line when the light turns Green are very real, and often dangerous human actions. And the statistics show this clearly. Relying on technology to keep us safe is not 100% failproof.
Accountability for Cyber Security
We are definitely losing the war on cyber security. It’s a technology arms race with the bad actors overcoming and one-upping our every attempt to build and deploy cyber safe technologies. In fact, there is close to a 100% probability that you, your family and your company will be hacked at some point. And the costs are huge. Last year global cybercrime was estimated at around $600 billion, and today it is well over $1 trillion. And each cyber breach costs the average business over $3 million in recovery costs, lost revenue, damage to customer loyalty, loss of employee trust in management, and numerous other costs.
And now we come to the analogy between cyber security and road intersections. Just like traffic lights, we cannot rely on technology to keep us cyber safe. We must take personal accountability. And in the corporate setting, that means building and sustaining a cyber safe culture where employees at all levels take personal accountability for keeping themselves and the company cyber safe.
Building accountability for cyber safety takes more than workshops and training classes. These are useful, but not sufficient. Accountability definitely has an educational component, but personal accountability cannot flourish in a culture of poor trust, blame, finding fault, bullying and negative peer pressure, lack of transparency and feedback, and poor leadership. PowerPoint decks, written values on the walls, and all hands meetings may talk about cyber awareness and accountability, but when the pressure is on for cost control, making the schedule deadline and being driven to accomplish impossible goals are the norm, remaining vigilant and personally accountable for cyber safety often takes a back seat. And the back seat is a dangerous place to pilot a speeding car, let alone a large organization facing a tsunami of cyber attacks.
The other barrier to being accountable for cyber security comes from the fact that we have very poor, if any, data or organizational models as to how culture and employee behavior impact cyber security. We have mountains of reports and terabytes of data about the technological aspects of cyber security, but almost none about the people side.
About CulturSys and Cyber Security Culture
To date, cyber security has mostly been reliant on technology and regulations (policies and compliance). They are definitely important, but as we are currently experiencing across the globe, not sufficient. We need a third leg to the cyber security stool — culture. And not just an amorphous culture, but a specifically designed cyber security culture.
CulturSys, Inc., whose founders have over 35+ years of experience in helping global organizations reshape culture to improve business performance, has been focusing its expertise on data analytics and management tools to help build and proactively manage cyber safe cultures. We see culture very differently than most. We understand that culture is actually a business system, or network, of key influencing factors inside the company that drive employee attitudes and behaviors. And we can now visually map these factors.
Using a combination of data analytics, systems modelling and behavioural science we have developed a software platform to visually map cyber security culture and identify, using internal company data, potential cultural risks to cyber security. In addition, we have developed an extensive library of cultural best practices to support business leaders in building a more robust cyber security culture.
Combining data analytics, technology and human behavior insights will go a long way in creating a more accountable culture that reduces cyber risks.
An effective business strategy is comprised of a series of core elements. Competitor analysis, product-market fit, and organizational capabilities are critical components. They are key links in the chain that enables successful delivery of the business strategy.
Likewise, effective cyber security has several core elements. The two links most CISOs and business leaders focus on are technology and compliance. Advances in threat detection and internal monitoring technologies are making it harder and harder for bad actors to get inside a company and wreak havoc. And regulatory compliance policies and processes have the benefit of focusing our attention on prevention and quick response.
If these were all we needed, then we should be winning the cyber security war. But all too often it seems that we are not winning, and in some cases falling far short. The global cost of cyber-crime is currently at around $600 billion and is expected to top $1 trillion very soon. The growth rate of cyber attacks increased 27% between 2017-2018. It’s getting more and more expensive to invest in technology and compliance to try and keep up.
It’s not just large companies being targeted by the growing number of hackers, criminal gangs and nation states. All sizes of business as well as political, governmental and social organizations are under attack. Small organizations don’t have the capital for the latest cyber technology and additional compliance is often a cost burgeon as well. Yet a successful breach in a small company can easily lead to its demise.
We need another strong link in the cyber security chain!
Cyber Security Culture
Corporate culture is either an enabler or a barrier to successful strategy execution. The same is true for cyber security and so far, we have paid only lip service to the importance of a cyber safe culture. And the data clearly shows how important it is to the cyber security equation.
One of the fundamental reasons why organizations are not focusing more on cyber security culture is the traditional way culture has been defined and how difficult it is to accurately assess the causes, or drivers, that determine our culture?” currently have very little data. Most culture data is subjective at best and the result of employee surveys. I honestly doubt that employee surveys give us a real picture of the culture, and certainly not the cyber security culture.
The classic definition of culture, established in the 1970’s by Professor Ed Schein of MIT Sloan School of Management, focuses on employee behaviours, beliefs and shared values. As a result, most culture assessments and definitions use employee surveys focused on behaviours, beliefs and values. Extremely hard to quantify and even harder to connect to business outcomes.
But what if such behavioural definitions of corporate culture were actually describing the outcome of a culture, and not the culture itself? An important question in order to understand culture more deeply is “what in the organisational system is driving or influencing people to behave in habitual ways inside this company”? With this question in mind, we open up a more fruitful understanding of culture and can define cyber security culture in a way that allows us to map, model and quantify the culture and its impact on cyber risk.
Cyber Security Culture (CSC) is an interconnected system of policies, processes, rules, company goals, leadership focus, management and supervisory actions, and employee attitudes that together influence how all employees behave towards cyber security.
Looking at cyber security culture as a business system can give the CISO and business leaders new insights, and most importantly, point out specific cyber security risks that are inherent in the culture, but previously invisible.
Data and metrics are readily available inside the company that can help determine which specific elements of the culture act as security enablers or risks
Seeing cyber security culture as an interconnected system helps employees better understand how their work and actions directly impact the health of the company.
A cyber security culture system map points out those various business functions that are acting as stand-alone silos and not an integrated part of the cyber security solution.
Cost effective solutions can be easily pinpointed to improve the overall effectiveness of cyber security, saving resources and costs against standard across the board “culture improvement” programmes.
The effectiveness of the cyber security culture can be tracked over time and linked directly to important business metrics. Thus, improving the culture will have a direct impact on cyber security and can be measured.
A business systems model can help executives proactively manage the culture using culture analytics to determine the cyber security impact of proposed change activities.
By having technology, compliance and culture all in the tool kit of the CISO, we can make even greater progress on protecting our information and our people from the growing tsunami of cyber crime. Cyber security culture can become a responsive and adaptive “human firewall”.
Written and Posted by: John R. Childress
Senior Executive Advisor on Leadership, Culture and Strategy Execution Issues, Business Author and Advisor to CEOs Visiting Professor, IE Business School, Madrid