Cyber Security Culture: The Missing Link

Broken chain on white background

An effective business strategy is comprised of a series of core elements. Competitor analysis, product-market fit, and organizational capabilities are critical components. They are key links in the chain that enables successful delivery of the business strategy.

Likewise, effective cyber security has several core elements. The two links most CISOs and business leaders focus on are technology and compliance. Advances in threat detection and internal monitoring technologies are making it harder and harder for bad actors to get inside a company and wreak havoc. And regulatory compliance policies and processes have the benefit of focusing our attention on prevention and quick response.

If these were all we needed, then we should be winning the cyber security war. But all too often it seems that we are not winning, and in some cases falling far short. The global cost of cyber-crime is currently at around $600 billion and is expected to top $1 trillion very soon. The growth rate of cyber attacks increased 27% between 2017-2018. It’s getting more and more expensive to invest in technology and compliance to try and keep up.

It’s not just large companies being targeted by the growing number of hackers, criminal gangs and nation states. All sizes of business as well as political, governmental and social organizations are under attack. Small organizations don’t have the capital for the latest cyber technology and additional compliance is often a cost burgeon as well.  Yet a successful breach in a small company can easily lead to its demise.

We need another strong link in the cyber security chain!

Cyber Security Culture

Corporate culture is either an enabler or a barrier to successful strategy execution. The same is true for cyber security and so far, we have paid only lip service to the importance of a cyber safe culture. And the data clearly shows how important it is to the cyber security equation.

One of the fundamental reasons why organizations are not focusing more on cyber security culture is the traditional way culture has been defined and how difficult it is to accurately assess the causes, or drivers, that determine our culture?” currently have very little data. Most culture data is subjective at best and the result of employee surveys. I honestly doubt that employee surveys give us a real picture of the culture, and certainly not the cyber security culture.

 The classic definition of culture, established in the 1970’s by Professor Ed Schein of MIT Sloan School of Management, focuses on employee behaviours, beliefs and shared values. As a result, most culture assessments and definitions use employee surveys focused on behaviours, beliefs and values. Extremely hard to quantify and even harder to connect to business outcomes.

But what if such behavioural definitions of corporate culture were actually describing the outcome of a culture, and not the culture itself? An important question in order to understand culture more deeply is “what in the organisational system is driving or influencing people to behave in habitual ways inside this company”? With this question in mind, we open up a more fruitful understanding of culture and can define cyber security culture in a way that allows us to map, model and quantify the culture and its impact on cyber risk.

Cyber Security Culture (CSC) is an interconnected system of policies, processes, rules, company goals, leadership focus, management and supervisory actions, and employee attitudes that together influence how all employees behave towards cyber security. 

Looking at cyber security culture as a business system can give the CISO and business leaders new insights, and most importantly, point out specific cyber security risks that are inherent in the culture, but previously invisible.

  • Data and metrics are readily available inside the company that can help determine which specific elements of the culture act as security enablers or risks
  • Seeing cyber security culture as an interconnected system helps employees better understand how their work and actions directly impact the health of the company.
  • A cyber security culture system map points out those various business functions that are acting as stand-alone silos and not an integrated part of the cyber security solution.
  • Cost effective solutions can be easily pinpointed to improve the overall effectiveness of cyber security, saving resources and costs against standard across the board “culture improvement” programmes.
  • The effectiveness of the cyber security culture can be tracked over time and linked directly to important business metrics. Thus, improving the culture will have a direct impact on cyber security and can be measured.

A business systems model can help executives proactively manage the culture using culture analytics to determine the cyber security impact of proposed change activities.

By having technology, compliance and culture all in the tool kit of the CISO, we can make even greater progress on protecting our information and our people from the growing tsunami of cyber crime. Cyber security culture can become a responsive and adaptive “human firewall”.

Written and Posted by: John R. Childress

Senior Executive Advisor on Leadership, Culture and Strategy Execution Issues,
Business Author and Advisor to CEOs
Visiting Professor, IE Business School, Madrid

Twitter @bizjrchildress

About johnrchildress

John Childress is a pioneer in the field of strategy execution, culture change, executive leadership and organization effectiveness, author of several books and numerous articles on leadership, an effective public speaker and workshop facilitator for Boards and senior executive teams. In 1978 John co-founded The Senn-Delaney Leadership Consulting Group, the first international consulting firm to focus exclusively on culture change, leadership development and senior team alignment. Between 1978 and 2000 he served as its President and CEO and guided the international expansion of the company. His work with senior leadership teams has included companies in crisis (GPU Nuclear – owner of the Three Mile Island Nuclear Plants following the accident), deregulated industries (natural gas pipelines, telecommunications and the breakup of The Bell Telephone Companies), mergers and acquisitions and classic business turnaround scenarios with global organizations from the Fortune 500 and FTSE 250 ranks. He has designed and conducted consulting engagements in the US, UK, Europe, Middle East, Africa, China and Asia. Currently John is an independent advisor to CEO’s, Boards, management teams and organisations on strategy execution, corporate culture, leadership team effectiveness, business performance and executive development. John was born in the Cascade Mountains of Oregon and eventually moved to Carmel Highlands, California during most of his business career. John is a Phi Beta Kappa scholar with a BA degree (Magna cum Laude) from the University of California, a Masters Degree from Harvard University and was a PhD candidate at the University of Hawaii before deciding on a career as a business entrepreneur in the mid-70s. In 1968-69 he attended the American University of Beirut and it was there that his interest in cultures, leadership and group dynamics began to take shape. John Childress resides in London and the south of France with his family and is an avid flyfisherman, with recent trips to Alaska, the Amazon River, Tierra del Fuego, and Kamchatka in the far east of Russia. He is a trustee for Young Virtuosi, a foundation to support talented young musicians. You can reach John at or
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s