What Does Enterprise-Wide Cybersecurity Culture Look Like?What Does Enterprise-Wide Cybersecurity Culture Look Like?
Effective cybersecurity doesn’t live within a single team. It is woven throughout the entirety of an enterprise’s culture.
An enterprise’s culture is defined by a lot of different things: shared organizational values, how leaders behave, the way teams interact. A company’s culture can make or break its business. Increasingly, cybersecurity is a risk that enterprise culture cannot ignore. Phishing scams. Zero-day vulnerabilities. Ransomware. Threat actors can levy various tools in their arsenal at anyone in an organization, from executives to members of the help desk.
information spoke to security leaders from three different companies about how they approach building a security-first culture across their organizations and what that can look like for different companies.
Recognizing Obstacles
Culture is a complex concept, not easily built and maintained. What are some of the biggest obstacles cybersecurity leaders face when establishing security as a core cultural value?
First of all, enterprises have a lot of priorities: driving revenue, marketing products and services, supporting customers and employees, and, of course, security. While each priority plays an important role in sustaining a business, they may compete with one another for talent, time, and budget.
“How do you get the organization to put security on … par with increasing EBITDA or trying to maximize your revenue?” asks John Cannava, CIO at Ping Identity, an identity management and governance company.
That’s a tough question to answer, especially when enterprise teams view security as a stumbling block rather than a business enabler. Often security protocols, and with good reason, force people to slow down.
“As soon as employees think that it's an obstacle to overcome, they may look at creative ways to bypass that security control,” Monica Landen, senior vice president and CISO at Diligent, a board and governance software company, says.
Cybersecurity cannot be the sole responsibility of security and IT teams, but it is the responsibility of these team leaders to demonstrate its value to everyone in an organization.
“There is continuous need to not just come up with the right control set but also to figure out what are the best ways to scale those controls across such a heterogenous, large landscape,” says Sebastian Lange, CSO at software and technology company SAP.
Identifying Security Champions
Identifying the right security controls, scaling them across an organization, and threading that security-first mindset throughout an entire organization requires security champions. Oftentimes, the CISO and CIO wear that mantle, but the person or people who fill that role will vary depending on the size, structure, and maturity of an organization. At SAP, Lange and Marielle Ehrmann, the company’s global security compliance and risk officer, co-lead global security and cloud compliance.
SAP has more than 100,000 employees around the world. “Each line of business in SAP often [has its] own architectural uniqueness, sometimes even their own execution culture. How do you fit around that?” asks Lange.
The company has business information security officers for each line of business. “They do the line of business-specific security implementation. So, within that model, we are spreading our security and compliance strategy into each and every line of business,” Ehrmann explains.
SAP also identifies employees throughout the business as security champions, people who teammates can turn to with security questions related to their everyday work. “There are quite a few embedded in all of the different areas of the business to help further the availability of people with expertise but also context [and] knowledge of the day-to-day work [of] … employees,” says Lange.
At Ping Identity, the head of product plays a big role in championing security initiatives. “We've taken the security team and embedded it within our engineering organization so that it's not a high-friction interaction between those organizations,” says Cannava. “They're part of the same team who's delivering a solution that has security as part of its core value.”
Whoever leads security efforts should be accessible to everyone in the company, from the board and C-suite on down. “[Make] sure that the cybersecurity leader … is visible and approachable and really sets clear organizational priorities across the company in easy-to-understand terms,” says Landen.
Securing Buy-In
Whoever is championing enterprise-wide security needs to secure buy-in from everyone within an organization. At the top, that means getting the C-suite and board to throw their weight behind security.
“At the end of the day, if you don't have the CEO on board and the CEO isn't … voicing the same level of prioritization, then it will be something that's viewed as a half step back from … fundamental business priorities,” Cannava warns.
Effective communication is a big part of getting that buy-in from leadership. How can security leaders explain to their boards and fellow executives that security is an essential business enabler?
“Really [convert] the technology language or cyber language or jargon into how will … that risk potential impact revenue or reputation or our compliance?” says Landen.
Tabletop exercises can be a powerful way to not just tell but show executives the value of cybersecurity. Walking through various cybersecurity incident scenarios can demonstrate the vital connection security has to operations and business outcomes. Ping Identity periodically engages multiple members of the C-suite in these exercises.
“Not only do you know learn what the gap is, you also learn by doing … you're pulled in and engaged as a member of the C-suite, and now you're invested,” he says. “So, when you go back to your teams, you can share with them why this is so important.”
Executives can and should talk about the importance of security, but employees throughout an organization are busy with their day-to-day responsibilities. Cybersecurity can easily slip through the cracks.
It requires regular communication, not a single training done as a part of onboarding and quickly forgotten. “We find it really important to explain to our employees the ‘why’ of security and what it means to the overall company’s success or brand,” says Cannava.
Explaining that “why” can come in the form of education. For example, teams can discuss real-life cybersecurity events and their consequences, like downtime and lost revenue.
Security leaders can also help their enterprises adopt various ways to make security more engaging and less like a check-the-box item to be forgotten. “So, we have various excellence awards in place, but we are also making it a fun topic, like with a capture the flag competition. So, gamification factors in there,” Ehrmann shares.
Building a Strong, Adaptable Culture
Company culture and security strategy are not one-size-fits-all. While different approaches will work for different organizations, successful security-first cultures share some commonalities. Security initiatives need to be actionable, measurable, and governable across an enterprise in order to be effective. Using an established framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, can help security leaders build and track the success of that security-first culture.
Technology and cyber threats are constantly changing, which means that cybersecurity culture must be adaptable. Today, security leaders are contending with the GenAI boom and its power to both defend and fuel nefarious cyber activity.
“As security practitioners, we do have to get ahead of it and ensure that we have adopted the right policies and practices within the organization, so we don't inadvertently expose sensitive data or potentially impact any privacy policies,” says Landen.
As security leaders work to ensure security-first culture keeps up with shifting technologies and threats, they need continuous engagement with employees. Does every employee know about their company’s cybersecurity risks and their role in mitigating them? Do they know where to go to with questions and where to report anything suspicious?
“When it comes to reporting a security incident or what they might view as suspicious activity, make it really low barrier for participation, for them to be able to report that,” Cannava suggests.
A strong cybersecurity culture ties security to the overall goals of a business, and it lives in the everyday actions of the people who work there.
“It's rather like swimming or like riding a bike. The moment you need it, you should know how to do it. It needs to come naturally,” says Ehrmann. “You can't create that ad hoc. It needs time, the right leadership and that goes across all levels of the company from the supervisory board over to the executive board to all senior executives down to each and every employee of the company.”
About the Author
You May Also Like