Enterprise cybersecurity technology research that connects the dots.

Training to Beat a Bad Cybersecurity Culture

Creating a company culture for security may need to start by tearing down an anti-security culture.

Laptop with Post-it notes all over it
Source: <a href="https://pixabay.com/users/geralt-9301/?utm_source=link-attribution&amp;utm_medium=referral&amp;utm_campaign=image&amp;utm_content=3233653">Gerd Altmann</a> via <a href="https://pixabay.com/?utm_source=link-attribution&amp;utm_medium=referral&amp;utm_campaign=image&amp;utm_content=3233653">Pixabay</a>

"Culture eats strategy for breakfast" is a frequently used (and just as frequently misattributed) quote about the relative power of formal strategies and the cultures that put them into practice. Whether executives can strategize around their own culture is highly debatable, but here's something I know to be true: Culture chews giant holes in cybersecurity.

The idea of a "security culture" is powerful and popular in both cybersecurity and physical security worlds. Basically, it's the notion of making security-aware behavior so much a part of the organizational culture that the people in the organization become a powerful defensive component. It is, in most cases, the endgame of cybersecurity awareness training and the much-desired ultimate stage of cybersecurity maturity.

That's all good, but my concern is at the other end of the process — the one in which the organization's culture is not only blind to cybersecurity but also actively hostile to much of the good behavior that makes cybersecurity work.

Friction = Bad
Efficiency is an obsession for most executives. Making sure that the maximum results come from the minimum investment is good business sense. Friction takes energy and turns it into something other than desired results. The more friction, the less efficiency, and the more waste. Seems simple, right? But there's a problem.

Many necessary business processes add friction to the system. Collecting (and paying) taxes adds friction. Keeping records adds friction. Human resources, health and safety safeguards, and yes, cybersecurity, all add friction. That's why some businesses develop a culture that considers each and every one of these activities to be something bad — something to be minimized, avoided, or worked around. Which is fine ... to a point.

The key to business success with all of these (and similar) activities is not to eliminate them but to make sure that the friction imposed on business processes is proportional to the business benefit derived from the activity. An unhealthy organizational culture says, basically, that there is no business benefit sufficient to warrant any friction in the most basic business activities – usually defined as marketing and sales. When the essential culture of the organization is along these lines, anything that injects friction will be at best ignored and at worst subverted. And this is the point where cybersecurity awareness training has to start.

Mind the Gap
Cybersecurity awareness training begins with the simple premise that cybersecurity has value. And for that message to get through to users, the organization's culture must accept that the friction cybersecurity adds to business processes is worthwhile — that the cost of cybersecurity will be an investment rather than a boondoggle.

Too often we have created business cultures that prioritize efficiency and productivity not only over all other considerations but also to the exclusion of all other considerations. These are cultures that like to consider themselves ruthless and relentless and are all too often reckless and blinkered. Employees are often encouraged — implicitly by the culture, if not explicitly by management — to go around anything that might add friction to a process. That "thing" can be record-keeping, compliance with regulations, or cybersecurity. In each of these cases, the ultimate cost of evading the friction can be much higher than accepting it as part of doing business. And that's the blunt message that may have to lead cybersecurity awareness training in one of these "damn the consequences" cultures.

In the best of outcomes, cybersecurity awareness training results in a culture that values cybersecurity and prioritizes the actions and attitudes that make security part of everyday business behavior. But that outcome may lie at the end of a long road; the first step is building simple acceptance that cybersecurity has value for the company.

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights