Think Your Organization Has a Healthy Cybersecurity Culture?

If your organization has a healthy cybersecurity culture, consider yourself lucky — less than five percent of organizations do.

It’s a well-worn truism in IT and that says success is a matter of people, process, and technology. And it’s stated in that order, starting with people, for a reason. An organization can have the best technology and processes place, both of which are critically important, but without the right people in place everything will eventually fall apart.

This is especially true when it comes to cybersecurity. This is one of the reasons why building an organization with a strong cybersecurity culture is so important. Unfortunately, this seems easier said than done for most organizations. A recent survey from the ISACA and CMMI Institute, The 2018 Cybersecurity Culture Report, [.pdf] found that 95 percent of those surveyed believe a gap persists between their current level of cybersecurity culture and where they’d like to be.

For this survey, more than 4,800 business and technology professionals shared their insights in the global research study, conducted via online polling in the sprint of this year, the ISACA said.

So what is cybersecurity culture anyway, The ISACA and CMMI institute define cybersecurity culture as a workplace culture where security awareness and behaviors are integrated into people’s daily workflows. In a strong cybersecurity culture, security is also a strategic executive leadership priority. The theory being that effective culture will help staff and others to understand how they can work to keep the enterprise secure.

Interestingly, according to the survey, that have an effective cybersecurity culture have employees who: 

• Recognize their role in endpoint security
• Participate in regular training programs
• Actively engage with the behaviors and habits outlined by their cybersecurity program

Unfortunately, only 34 percent of survey respondents reported understanding the role they play when it comes to helping secure their organization’s digital assets.

“Enlisting the entire workforce to mitigate an enterprise’s cyber risk is an emerging practice,” said Doug Grindstaff II, SVP of Cybersecurity Solutions at CMMI Institute in a news release. “We are hearing a lot of feedback about how organizations can move the needle on employee involvement. It’s challenging, but organizations are rightly concerned by the growing sophistication of cyberattacks,” he said.

The survey detailed how entrenched employee security involvement is strongly correlated with organizations who perceive themselves to have a good cybersecurity culture. In these organizations, nine in ten employees said their C-level executives share an excellent understanding of the underlying issues, and 84 percent of employees at these organizations said they understand their role in cybersecurity. 

Other findings from the survey include: 

• Many organizations lack the first—and all-important—step toward a cybersecurity culture: 42 percent of organizations do not have an outlined cybersecurity culture management plan or policy.
• Aligning the entire workforce with the organization’s cybersecurity policies requires significant capital: Organizations that report a significant gap between their current and desired cybersecurity culture are spending just 19 percent of their annual cybersecurity budget on training and tools; organizations that believe their cybersecurity culture is where it is supposed to be are spending more than twice as much (43 percent).

How should organizations begin improving their cybersecurity culture? According to survey respondents it comes down to establishing a clear and consistent policy, providing regular security awareness training, make certain the CISO has the authority to do what needs to be done, and cultivate executives who champion security. Sounds easy, right? Of course it doesn’t. That’s why so few organizations get it right. But it can be achieved with the right efforts. Have a look at the ISACA report here.