Cybersecurity culture pertains to the knowledge, perceptions, attitudes, norms, and values of people concerning cybersecurity and how they manifest in people’s behavior. So, we can tell that cybersecurity culture is about making information security considerations an indispensable component of an employee’s habits and job, seamlessly incorporating them into their daily routines and practices.

The fact is that implementing a strong cybersecurity culture plays an essential role in the entire organization’s security posture. We asked 4 cybersecurity experts their opinions on how to build a strong culture of cybersecurity. Continue reading to uncover their full insights.

Ivan Rivic (CISO at DataStore) 

Management needs to be aware of cybersecurity’s influence on their business. I don’t mean awareness of changing the password, but understanding how an insecure business environment can influence the business. For example, ransomware attacks or data leakage can impact their business operations, finance, legal obligations, and reputation. They need to ask themselves what damage to my business would be caused by a cybersecurity incident.  

Support of management to operationalize cybersecurity is crucial. Furthermore, security needs to stay in focus of management. For example, to become a topic in weekly management meetings. With such management awareness and operational support, you can do everything else – build a team, have internal support, engage external support, and so on. 

Doron Zimmermann (Guest Lecturer at Hochschule für Wirtschaft Zürich HWZ) 

By reviewing its own relative security maturity and by honestly engaging with the findings of such an inquest. Secondly, by accepting that security can only succeed, if deployed in a comprehensive manner, i.e., not only IT-security (as is often the case), but a melding of IT-, cyber/information-security with typical aspects of corporate security programs, e.g., physical, personnel/executive, travel security, supply chain security, security insurance management, intellectual property protection, etc. 

Security is very much a people business. If the CEO and the business leaders do not practice cybersecurity in a comprehensive sense, why – notwithstanding glossy governance and compliance policies – should employees? Senior executives need to act as role models and demand that the staff engage with the topic, because they themselves do, and impress upon their personnel how important they feel security is by directly addressing the issue in management and all-hands meetings. 

And, concomitantly, leaders in business ought not to confuse compliance with security. They should not turn what is a highly agile endeavor that requires independent thinking into a tick-in-the-box exercise. Security should be integrated as KPIs into management-by-objectives performance evaluations for all management levels in all units and among regular staff, as it is an endeavor the success of which depends on concerted collective action. 

Conversely, business leaders ought not to compel their staff to run through a WBT or CBT course on security compliance but take the initiative, either themselves or through a CSO or other security ambassadors to speak directly to all management and staff, leaving no doubt about just how mission-critical cybersecurity and security in general are. Security typically deemed a support process by organizations with lower security maturity or myopically simply being considered a cost center in such business environments is neither. Security is a baseline that ensures that all staff can count on going back to work the next day. 

It is the culture of a company, which needs to receive the imprimatur of cybersecurity thinking. Only if the culture of a company can be shaped, is there a realistic chance for positive change toward the development of relative security maturity. Ultimately, if an organization does not maintain regular and demonstrable “hygiene,” why should its customers and stakeholders trust it? 

Patrick Schramboeck (Head Key Management at SIX Digital Exchange) 

To establish a cybersecurity culture, it always needs a clear cybersecurity strategy, which is tailored to the requirements of the company. Here it is important to perceive the needs of management and the various departments and to align strategy and security requirements. 

For example, there is little sense in the highly secure public website, but it is important to restrict access to confidential client data on servers. Therefore, it is necessary to know the critical processes and data and protect them accordingly. Essential is also the openness to feedback and questions because employees see that security is being lived and discussed. 

In general, it is much better to give employees the opportunity to question the CISO and his team about current problems, be it with projects or in everyday operations. This creates trust and promotes readiness to participate.

Thomas Zeulner (CISO at TDK Electronics) 

The current threat situation is already worrying. Anyone who is on the Internet can become a victim of an attack, and the consequences are now more serious than ever. Time is absolute of the essence, and we must rely on the support of all staff. This is where the idea of “Security First” proves its worth and should be reflected in all areas of a company, no matter at what level, be it management, executives, or employees. They all form the most important link in the chain of the security defense strategy. 

This culture should be found in the actions of each individual, which means you don’t just think, you just do. Therefore, it is our task to build and promote this security awareness among colleagues. The security culture should be part of the corporate culture.

Cybersecurity training is part of the culture 

Organizational culture encompasses many things, including workforce development and training. Exceptional organizations inspire their staff to make learning a priority in their development strategy. Check out the Cyber Security Specialist program with Federal Diploma. This training program is designed to provide you with an in-depth understanding of how to protect digital systems and data from cyber-attacks and therefore, alleviate damage to sensitive organizational assets. For more information download the program brochure or contact us.