Training to Beat a Bad Cybersecurity Culture

"Culture eats strategy for breakfast" is a frequently used
(and just as frequently misattributed) quote about the relative
power of formal strategies and the cultures that put them into
practice. Whether executives can strategize around their own culture
is highly debatable, but here's something I know to be true: Culture
chews giant holes in cybersecurity.

The
idea of a "security culture" is powerful and popular in
both cybersecurity and physical security worlds. Basically, it's the
notion of making security-aware behavior so much a part of the
organizational culture that the people in the organization become a
powerful defensive component. It is, in most cases, the endgame of
cybersecurity awareness training and the much-desired ultimate stage
of cybersecurity maturity.

That's
all good, but my concern is at the other end of the process — the one
in which the organization's culture is not only blind to
cybersecurity but also actively hostile to much of the good behavior
that makes cybersecurity work.

Friction
= Bad
Efficiency
is an obsession for most executives. Making sure that the maximum
results come from the minimum investment is good business sense.
Friction takes energy and turns it into something other than desired
results. The more friction, the less efficiency, and the more waste.
Seems simple, right? But there's a problem.

Many
necessary business processes add friction to the system. Collecting
(and paying) taxes adds friction. Keeping records adds friction. Human
resources, health and safety safeguards, and yes, cybersecurity, all
add friction. That's why some businesses develop a culture that
considers each and every one of these activities to be something bad — something to be minimized, avoided, or worked around. Which is
fine ... to a point.

The
key to business success with all of these (and similar) activities is
not to eliminate them but to make sure that the friction imposed on
business processes is proportional to the business benefit derived
from the activity. An unhealthy organizational culture says,
basically, that there is no business benefit sufficient to warrant
any friction in the most basic business activities – usually
defined as marketing and sales. When the essential culture of the
organization is along these lines, anything that injects friction
will be at best ignored and at worst subverted. And this is the point
where cybersecurity awareness training has to start.

Mind
the Gap
Cybersecurity
awareness training begins with the simple premise that cybersecurity
has value. And for that message to get through to users, the
organization's culture must accept that the friction cybersecurity
adds to business processes is worthwhile — that the cost of
cybersecurity will be an investment rather than a boondoggle.

Too
often we have created business cultures that prioritize efficiency
and productivity not only over all other considerations but also to
the exclusion of all other considerations. These are cultures that
like to consider themselves ruthless and relentless and are all too often
reckless and blinkered. Employees are often encouraged — implicitly
by the culture, if not explicitly by management — to go around
anything that might add friction to a process. That "thing"
can be record-keeping, compliance with regulations, or cybersecurity.
In each of these cases, the ultimate cost of evading the friction can
be much higher than accepting it as part of doing business. And
that's the blunt message that may have to lead cybersecurity
awareness training in one of these "damn the consequences"
cultures.

In
the best of outcomes, cybersecurity awareness training results in a
culture that values cybersecurity and prioritizes the actions and
attitudes that make security part of everyday business behavior. But
that outcome may lie at the end of a long road; the first step is
building simple acceptance that cybersecurity has value for the
company.

Comments are closed.