A Mature Cybersecurity Culture is Vital

The Art of Corporate Culture

Corporate culture includes many different aspects of the organization and is often defined as the art and manifestation of human intellectual achievement regarded collectively. Corporate culture is meant to motivate the behavior of each employee in the daily execution of duties and responsibilities within their role in the organization.

A more granular definition is “A way of thinking, behaving, or working that exists in a place or organization. It is a set of shared attitudes, values, goals, and practices, that characterizes an organization.” It is within the context of this definition that I would like to discuss the importance of maturing the cybersecurity culture as a subset of the corporate culture.

America’s Technology Infatuation Problem

Far too often, the importance of maturing how humans think, behave, or work regarding cybersecurity is not given the priority it warrants if the goal of developing a mature cybersecurity culture, as a part of the overall organizational culture, is to be achieved. I make this statement because the United States’ infatuation with technology, at the expense of improving human behavior, is well documented.

Five years ago, Gregory Bufithis said, “No country has even come close to the U.S. in harnessing the power of computer networks to create and share knowledge, produce economic goods, intermesh private and government computing infrastructure including telecommunications and wireless networks, using all manner of technologies to carry data and multimedia communications, and control all manner of systems for its power energy distribution, transportation, manufacturing, etc. and all this has left the U.S. as the most vulnerable technology ecosystem to those who can steal, corrupt, harm, and destroy public and private users, at a pace often found unfathomable.”

Due to this technology explosion, in too many instances, the technology was designed and manufactured with little thought to security. The result, based on a minimal, if any, security design, has left many organizations with an overwhelming infrastructure upgrade effort before them and an almost prohibitive cost for pursuing short-term remediation of existing vulnerabilities.

Technology is not the complete solution to mitigating risk and, in many instances, increases the vulnerabilities that necessitate a greater emphasis on the human factor of cybersecurity. The continuing escalation of attacks serves to exacerbate the threat of human error and create a need for greater situational awareness regarding what is at stake.

Maturing How We Think About Security

Due to the time and cost associated with upgrading to technology that has a better security design, this is not often feasible or preferable for many organizations. However, at least some immediate reduction in the current state of vulnerability can be achieved through the effort to develop a more mature cybersecurity culture within the corporate culture.

In their 1997 book, Unrestricted Warfare, Colonel Qiao Liang and Colonel Wang Xiangsui made this statement, “Corporate America has completely bought into the theory that strong security is founded on technology and minimizing the role of people.”

They went on to discuss the reality that Americans are skilled in machinery and are infatuated with luxuries. They then resolve that Americans’ strong penchant for these two things and our desire for the best technology leads to one of our increasing vulnerabilities.

Condition White: Stuck in Denial

For the past two decades, this infatuation with technology has been a driving force behind developing a corporate culture that minimizes the role of humans in cybersecurity. As a result, employees regularly operate at the lowest of four levels of situational awareness known as “Condition White”. In this condition of awareness, people believe there is no jeopardy and choose not to actively assess their behavior relative to potential threats or threat indicators. In other words, the mindset that provides the perspective on the importance of their security behavior in their corporate role has not been clearly established or reinforced.

You may take exception to the claim of people operating with a “Condition White” mindset but, the statistics on human error in cybersecurity, reported in the Proof Point 2020 User Risk Report, confirm this mindset is prevalent:

  • 45% of U.S. workers believe that public WiFi is safe when in a trusted location.
  • 40% of workers use their smartphone for both work and personal activities with a percentage not locking their phone.
  • 50% of workers share access to an employee-issued device with family and friends.

Changing this mindset is a vital first step in mitigating risk associated with technology vulnerabilities due to the lack of strong security having been implemented in the design phase of new technology.

Developing such a mindset is a function of the maturity of the organization’s security culture. It is reasonable, then, to claim, “Never has the need for a strong and continually maturing cybersecurity culture been more crucial than it is today!”

The effort to mature the cybersecurity culture component of the corporate culture requires much more than the “cookie cutter” security training being conducted to meet some regulatory requirements. 

Leading the Way to Cybersecurity Maturity

If a mature cybersecurity culture is to be achieved, it must begin with the C-Suite and executive-level leadership demonstrating personal behavior commensurate with a commitment to the continued effort to mature the security behavior within the organization. In any organizational effort, the attitude of leadership will determine the level of commitment by the individual.

In the introduction to this series, I proposed that the definition of the acronym FUD be changed. I believe this new meaning will serve as a solid foundation on which to build the attitude required to govern the continuous journey necessary to maintain a mature cybersecurity culture. This new attitude will be built on:

  • Fearless in the chaos of the ever-evolving threat environment and the rise in attack surfaces due to the unknown vulnerabilities in technology currently deployed.
  • Uncompromising in the commitment to continuous improvement and growing maturity in the situation awareness of each employee.
  • Decisive in all decisions whether a planned change or an adaptive, improvised change as a result of an unexpected condition.

These technology vulnerabilities are what Sun Tzu, in “The Art of War” would classify as “Conditions.” Conditions are those things over which the affected party has no control and therefore is not able to change. What can be controlled is the “Situation” the condition has created. In any hostile environment, such as cybersecurity, people are required to be able to recognize threats and patterns and then act immediately based on that information.  By improving the situational awareness of the human factor, through a mature cybersecurity culture, a more rapid response to the condition and the opportunities the condition presents will occur.

A mature cybersecurity culture is greater than the sum of its parts. Collaboration and teamwork motivated by the investment in preparation for improving the knowledge, skill, and awareness of every employee will demonstrate leadership’s perspective of the importance of strengthening the corporation’s security. In this series on building a mature cybersecurity culture, we will examine how a true focus and investment in what is commonly referred to as an organization’s most valuable asset, human capital, can dramatically improve the corporation’s effort to remain within its established risk tolerance appetite.

Read more: