"Culture eats strategy for breakfast" is a frequently used (and just as frequently misattributed) quote about the relative power of formal strategies and the cultures that put them into practice. Whether executives can strategize around their own culture is highly debatable, but here's something I know to be true: Culture chews giant holes in cybersecurity.
The idea of a "security culture" is powerful and popular in both cybersecurity and physical security worlds. Basically, it's the notion of making security-aware behavior so much a part of the organizational culture that the people in the organization become a powerful defensive component. It is, in most cases, the endgame of cybersecurity awareness training and the much-desired ultimate stage of cybersecurity maturity.
That's all good, but my concern is at the other end of the process — the one in which the organization's culture is not only blind to cybersecurity but also actively hostile to much of the good behavior that makes cybersecurity work.
Efficiency is an obsession for most executives. Making sure that the maximum results come from the minimum investment is good business sense. Friction takes energy and turns it into something other than desired results. The more friction, the less efficiency, and the more waste. Seems simple, right? But there's a problem.
Many necessary business processes add friction to the system. Collecting (and paying) taxes adds friction. Keeping records adds friction. Human resources, health and safety safeguards, and yes, cybersecurity, all add friction. That's why some businesses develop a culture that considers each and every one of these activities to be something bad — something to be minimized, avoided, or worked around. Which is fine ... to a point.
The key to business success with all of these (and similar) activities is not to eliminate them but to make sure that the friction imposed on business processes is proportional to the business benefit derived from the activity. An unhealthy organizational culture says, basically, that there is no business benefit sufficient to warrant any friction in the most basic business activities – usually defined as marketing and sales. When the essential culture of the organization is along these lines, anything that injects friction will be at best ignored and at worst subverted. And this is the point where cybersecurity awareness training has to start.
Cybersecurity awareness training begins with the simple premise that cybersecurity has value. And for that message to get through to users, the organization's culture must accept that the friction cybersecurity adds to business processes is worthwhile — that the cost of cybersecurity will be an investment rather than a boondoggle.
Too often we have created business cultures that prioritize efficiency and productivity not only over all other considerations but also to the exclusion of all other considerations. These are cultures that like to consider themselves ruthless and relentless and are all too often reckless and blinkered. Employees are often encouraged — implicitly by the culture, if not explicitly by management — to go around anything that might add friction to a process. That "thing" can be record-keeping, compliance with regulations, or cybersecurity. In each of these cases, the ultimate cost of evading the friction can be much higher than accepting it as part of doing business. And that's the blunt message that may have to lead cybersecurity awareness training in one of these "damn the consequences" cultures.
In the best of outcomes, cybersecurity awareness training results in a culture that values cybersecurity and prioritizes the actions and attitudes that make security part of everyday business behavior. But that outcome may lie at the end of a long road; the first step is building simple acceptance that cybersecurity has value for the company.