Corporate culture should be a critical factor in a successful cybersecurity program. Culture is universally recognized as a key component of business outcomes in general. Peter Drucker famously said that “culture eats strategy for breakfast.” The National Association for Corporate Directors regards culture as a corporate asset. In today’s world of instant communications, culture can immediately influence business outcomes, either positively or negatively.
However, while culture is generally regarded as an essential enabler in achieving business results, it is less visible in achieving cybersecurity goals. The recent ISACA-CMMI Institute cybersecurity culture research demonstrates this, illustrating both worthy aspirations and efficient programs, with room for improvement in effectiveness.
For example, the research shows that 96 percent of organizations plan employee cybersecurity training within the next year, but only 7 percent say such training has been extremely successful in building a broad-based cybersecurity culture. This indicates that our training programs have effectiveness gaps. However, virtually all firms are finding business benefits from improved cybersecurity culture (only 2 percent find no such benefits). At the same time, most businesses are finding a culture gap between where they are and want to be; only 5 percent do not have such a gap.
Should HR leaders help close these gaps and enable their organizations to benefit from improved cybersecurity culture? If so, how? Cybersecurity today has left the tech silo and is moving into the business front lines, where HR must play a key role in the people side of implementation. Challenges and opportunities can be found in the data. One thing I noticed is that 55 percent of respondents think that the chief information security officer is responsible for cybersecurity culture, while only 6 percent assign this to HR. Cybersecurity cultural initiatives should be a team effort involving HR and the CISO. In security consulting engagements I have led, I have always been optimistic when HR leadership is involved. In contrast, the absence of HR means that the project will focus on security technology and will miss positively impacting security culture and program effectiveness.
If culture is a critical part of an effective cybersecurity program, what can HR professionals do?
For one thing, HR should be a key stakeholder in corporate cybersecurity policy. Policy, in turn, reflects the corporate culture. HR has already been involved with most corporate policies. Security policies that are out of date, or not comprehensive or are gathering dust reflect a weak security culture. I can see this at the beginning of any consulting engagement. Policy should reflect the existing behaviors and then seek to improve those incrementally. A policy is a guide for individual behaviors, and HR must be an active participant in any policy change. Any policy written without considering individual behaviors will not be effective.
As I mentioned, cybersecurity today has moved out of the tech silo and is moving into the business frontlines. The recent National Institute of Standards and Technology guidebook, Cybersecurity is Everyone’s Job, provides detailed guidance on workforce development. Awareness training must be replaced with cybersecurity education, and HR should be the enabler for this. The HR department also should be a leader in implementing cybersecurity culture within the HR department. The best cybersecurity program begins at home. The HR function is where all of the organization’s most sensitive data are stored, processed and transmitted. HR should be an active business partner with the CISO in protecting this information. As such, some HR professionals may choose to obtain cybersecurity expertise themselves. ISACA’s Cybersecurity Nexus platform is one of the best places to start to establish cybersecurity qualifications.
Achieving a strong cybersecurity culture across the organization requires action on many fronts: people, process, technology and outside partners. Many groups, including HR, need to be engaged. Culture is people and process. Technology and outside partners are supporting players. Details matter. It’s great that, according to the research data, 75 percent of organizations are getting management more involved. However, it is important that the C-level executive regularly communicate the importance of security to management and to employees. An annual communication to all employees will not work. HR knows how to implement effective internal communications.
Continuous, incremental improvement of cybersecurity is vital. There are no cybersecurity magic bullets, or 30-day sprints. In fact, the essence of the word “culture” is “to grow.” Incremental improvement applies to both overall culture and to specific elements, like risk management. An effective risk management program is another building block for a good cybersecurity culture. Unfortunately, we humans are not good at logical risk management.
What factors inhibit continuous improvement of risk management programs (and associated cybersecurity culture)? The rate of change that people will accept and the messaging around suggested changes. Humans can grow, but usually don’t heed dire reports of impending disaster. Think of Cassandra and the Trojan Horse. Or the lesser known Colonel B.A. Dickson of U.S. Army Intelligence, who predicted the German attack prior to the Battle of the Bulge in December 1944. Humans may, however, accept incremental adjustments in risk awareness or mitigations. HR is best equipped to understand the people issues inhibiting effective organizational change.
Process is the next critical piece of the cultural puzzle. I’m not talking about cybersecurity processes like “patch management” or “privileged identity management.” I am referring to the processes to build a cybersecurity culture. These are the set of behaviors that help ensure that the organization will protect its information, whether it’s employee records, customer data or intellectual property. I believe any cultural change must be supported by a partnership involving HR and the CISO (chief information security officer). Cybersecurity culture is really not different than any other type of culture and established cultural transformation processes can be harnessed for cybersecurity. Businesses have been changing or reviving cultures for years, and HR has already earned its stripes here–so there’s no need to reinvent the wheel.
One well-known resource for cultural transformation is John Kotter’s eight-step model for transformation. Cultural change is the last step in the transformation process. It is preceded by defining a sense of urgency, forming a powerful coalition and five more enabling steps. Another model for organizational change is Jay Galbraith’s STAR model. He highlights the five functions needed in designing an organization: strategy, structure, processes, rewards and people. These functions can be utilized to create or transform the security organization and culture that you want in your business. HR should partner with the CISO to develop the sense of urgency and get the process started.