A common problem cybersecurity teams continue to deal with regularly is how to build a strong cybersecurity culture across their respective businesses. A positive and accommodating culture can often be the difference between your cybersecurity programmes succeeding or not. On the other hand a negative culture can lead to a lack of engagement in key initiatives, low adoption of policy compliance and even a lack of engagement in awareness campaigns to name a few.

An often-repeated recommendation to improve culture is to establish a positive culture using a top-down approach, ensure your boards and executives adopt a positive culture and see the positive effects permeate through the business. This is a great first step but isn’t enough in isolation to solve this problem and lacks a practical element to reach your employees in the key areas you need to target.

To support a top-down approach there are three key initiatives I recommend to enhance your cybersecurity culture:

Listen to your workplace

A good first step is to go out into the workplace and listen to what the business requirements are. In a mature cybersecurity environment, it’s really common to tick this box for your senior executives and boards but is often missed for the wider business. This can be achieved by implementing working or cross functional subject matter groups for the discussion of security, often sitting under your security steering committees.

These groups can be used to capture feedback from the wider business in the day to day operations but also disseminate important information back to key resources, so spread back to their business areas. This can create a positive feedback loop between the business and security teams.

Establish appropriate risk ownership in the business

In the past few years, the cybersecurity industry appears to have overcome a hurdle related to its position within the business structure. Traditionally cybersecurity was seen as an IT issue, leading to many conflicts of interest. Today cybersecurity often sits within shared services or even finance departments with reporting lines more appropriate to support separation of duties.

One unfortunate issue with this split is that many cybersecurity teams then carried the risks traditionally owned by IT or technical business areas, with them. This often leads to them becoming responsible for risks associated with technical assets, leading to a lack of appropriate ownership - which in turn  leads to a lack of engagement in the protection of said assets, which exacerbates potential culture issues.

A key recommendation would be to work to ensure your cybersecurity risks have appropriate ownership through their relevant areas in the business. An asset owner should also own the risk associated with that asset, including cybersecurity. Owning the risk, means owning the controls that must be applied. This ownership should then lead to positive engagement with cybersecurity teams who should be able to provide some of the solutions and or support required to ensure appropriate controls exist to mitigate risk.

Make things easy and simple

One thing we cybersecurity geeks tend to forget is that our colleagues are often dealing with a lot and no matter how much we want it to be, cybersecurity is not their top priority. This means that most colleagues do not have the time to digest our often complicated and bloated policies, standards and guidance.

We need to make things as digestible as possible. This can include clearing down unnecessary policy blurb and focusing on clear and concise facts. Work with your colleagues to ensure operational procedures are aligned to policy, so not every repeatable task needs to be assessed against policy.

This doesn’t have to be purely a cybersecurity initiative either, reach out to your wider business and offer them the support and guidance to direct them into a positive and simple alignment to your security programmes.