Question

How should the IS or Cybersecurity Policy align with the corporate culture and strategy?

Answer 1

Recognizing the power of corporate culture to shape employees’ attitudes and behaviors, many IT and cybersecurity leaders now want to instill a cybersecurity culture in their organizations. That means imbuing employees’ daily decisions and actions with a heightened awareness of cybersecurity. Doing so, they believe, could improve their companies’ ability to safeguard data, prevent cyberattacks, decrease risk, and protect shareholder value. But how do technology and cybersecurity professionals make this happen? How can they create a culture in their organizations that perceives cybersecurity as a top priority from the boardroom to the break room?

For ideas, let’s look to security’s cousin, safety.

Safety First

Although preventing accidents is a given in most workplaces today, safety hasn’t always been a priority. In fact, beliefs about workplace safety have undergone a number of transformations since the Industrial Revolution, with many injuries, deaths, and lessons along the way. Only in the last 50 years have accidents become the exception rather than the rule—a change catalyzed by several trends, including organizations seeking to limit their liability, HR leaders examining attitudes toward and perceptions of safety throughout workplaces, and broader regulatory efforts.

The Australian Radiation Protection and Nuclear Safety Agency traces the evolution of safety in several stages:

The age of technology. Since the dawn of the Industrial Revolution some 250 years ago, and until relatively recently, machinery failures and flaws bore most of the blame for workplace accidents. Engineers strove to improve worker and plant safety by designing safer technology.

The age of the human. After major incidents, such as the Three Mile Island nuclear meltdown in 1979, pointed to the role of human error in workplace accidents, engineers began factoring behavioral elements into their designs to anticipate, correct, and compensate for employee mistakes.

The age of the organization. Disasters, including airplane crashes and oil spills, have caused organizations to reconsider their assumptions about safety and to ask how and why these accidents occurred. Human and even technical failures are now seen as the tip of the iceberg, indicating a lack of leadership at the highest levels and prompting organizations to focus on improving their safety cultures.

Adding another perspective, researcher Philip Sutton lists four shifts in emphasis that characterize the evolution of workplace safety culture:

—From an employee responsibility to a management responsibility.

—From post-accident coping to prevention.

—From nonsystematic management to whole system management.

—From risk reduction to risk elimination.

When managers took up the safety mantle—establishing and enforcing safety protocols, providing worker training, and encouraging supervisors and employees to report hazards—accidents and injuries declined sharply. Eventually, most organizations established strong workplace safety programs aimed at eliminating risk altogether.

The impetus for these changes came from organized labor and laws, but they succeeded only when top-level executives encouraged and supported them. Studies have shown a direct correlation between management commitment and worker safety.

In other words, to instill a culture of safety in the workplace, the push must come from the highest levels and the message should be: “We are all in this together.” When all employees, from entry-level workers to executives, feel a vested interest in their own and their colleagues’ safety across the organization, then the goal of “zero risk” may at last become attainable.

Could the same be true for cybersecurity?

The Cybersecurity Shift

In today’s technological revolution, new technologies have exposed workplaces and employees to a host of threats, including identity and intellectual property theft, data destruction and manipulation, and breaches of various kinds of confidential information.

To reduce these risks, organizations initially focused on securing corporate technology assets using firewalls, antivirus software, malware scanners, and other tools. In response to these measures, hackers changed their tactics and began employing phishing and social engineering schemes that take advantage of employees’ ignorance or carelessness to gain unauthorized access to systems.

Now, as large-scale breaches continue, it may be time for organizations to embrace and inculcate a cybersecurity culture that, like an effective safety culture, seeks to:

—Embed cybersecurity throughout business processes rather than relegate it to a single function.

—Promote inclusivity and collaboration across departments, offices, and levels.

—Encourage and incentivize shared responsibility.

—Retain flexibility, allowing employees to learn, change, and grow.

Changing workplace culture can be daunting, especially across multiple businesses or locations. But as the history of workplace safety shows, it’s possible to achieve with commitment from the top. And the trickle-down effect, resulting in buy-in at every level, is likely to help organizations lower their risk considerably.

As cybersecurity professionals look toward the future—a continual mandate in the industry—they ought to consider the lessons of the past and the practices that have worked in other realms, such as workplace safety. They may then succeed in rallying workforces around cybersecurity in a way that goes to the very heart of organizations—to the culture that defines them.