Throughout my journey in different organisations over the past two decades, one constant remains: the pivotal role of organisational culture in cybersecurity. Despite all the technical controls, it’s the human element that often dictates the success or vulnerability of each organisation’s cyber defences.

Understanding the Human Factor

Cybersecurity isn’t merely a matter of implementing policies, getting that ISO certification, and installing some firewalls around everything. It’s about nurturing an environment where every member of the organisation is aware, vigilant, and proactive about cyber threats. In my experience, the most resilient organisations are those where cybersecurity is ingrained in the culture, not just relegated to the IT department.

How do we do it? Here is what I have seen work effectively across multiple organisations and often when it is not working well one element is missing.

1. Leadership Commitment

It starts at the top. Leaders must not only endorse but actively participate in cybersecurity initiatives. This includes regular communication about the importance of cybersecurity, sharing insights on current threats, and leading by example. When staff see their leaders taking cybersecurity seriously, they’re more likely to follow suit.

2. Continuous Education and Training

Cyber threats evolve rapidly, and so should our knowledge. Regular training sessions, updates on the latest cyber threats, and practical tips on digital hygiene should be an integral part of the company’s routine. These sessions should be engaging, relatable, and accessible to all employees, regardless of their role or technical expertise.

Set regular compliance periods, within four weeks of joining the organisation, within the first week is better. The most effective way I have seen is weekly new joiners’ sessions run by the security team, where questions can be asked rather than just consuming a video.

Then every year or every six months the content is updated and the whole organisation is required to complete the training. Reinforce this with questions at the end of the session to ensure it is understood and not just a clicking exercise.

3. Encouraging Open Dialogue

A culture of silence around cybersecurity issues can be detrimental. Encourage an open dialogue where employees feel comfortable reporting potential threats or breaches without fear of repercussion. This open approach not only helps in quick identification and mitigation of risks but also fosters a sense of collective responsibility.

How do you do this?

• Establish a policy where employees are not penalised for reporting mistakes or breaches, thereby reducing the fear of negative consequences.

• Organise regular meetings where employees can discuss cybersecurity issues, share experiences, and raise concerns.

• Create anonymous reporting channels for employees to report issues or concerns without fear of identification or retribution.

• Provide training that emphasises the importance of open communication in cybersecurity, and how each employee can contribute.

4. Simulating Real-World Scenarios

There’s nothing quite like hands-on experience. Conducting regular cyber drills or simulations can be an effective way to prepare your team for real incidents. These exercises help in identifying gaps in both knowledge and response strategies, providing invaluable insights for improvement.

It is not practical to run this for a whole organisation, but the key stakeholders in crisis management should be well drilled on common cyber scenarios.

5. Recognising and Rewarding Cyber-Smart Behaviour

Positive reinforcement can be a powerful tool. Recognise and reward employees who demonstrate proactive cybersecurity behaviour, the security champions who raise concerns during projects as an example. This can extend to more general activity such as identifying phishing emails. We are quick to count the number of failures during tests in teams, but what about the teams who performed well outside of the security team?

6. Integrating Cybersecurity into Business Processes

By now we should all know cybersecurity should be embedded in every business process, from onboarding new employees to launching new products. This integration ensures that security considerations are not an afterthought but a fundamental aspect of all operations.

7. Regularly Reviewing and Updating Policies

The cyber landscape is dynamic, and so should be your policies. Regular reviews and updates to cybersecurity policies ensure they stay relevant and effective in mitigating current threats. In the postmortem for each incident, the question should be asked: are our policies and standards adequate in this area?

Developing a cyber resilient culture is not a one-off project but a continuous endeavour. It’s about building an environment where cybersecurity is part of the DNA of your organisation. The strongest firewall we can build is a well-informed, vigilant, and proactive team.

So where can you begin?

By far the most frequent headlines that boards ask about is ransomware and the subsequent exfiltration of data. Executive Leadership often ask what we are doing to prevent this, and this often is an indicator that the organisation is not doing enough.

In each successful campaign, we introduced engaging online modules that simulated phishing scenarios, not PowerPoint in an e-learning tool. It needs to be modern, dynamic, and interactive. Employees learned to identify red flags in emails and web links. One provider in particular that was effective was KnowBe4; the late Kevin Mitnick videos kept teams engaged on the content and talking about the training afterwards within their teams.

Recognising that different departments faced unique risks, we tailored workshops to address specific vulnerabilities. For instance, the finance team received training on spotting fraudulent invoice scams.

Testing knowledge and understanding, we sent mock phishing emails to staff. These simulations, crafted to mimic real threats, tested and reinforced the lessons from the e-learning modules. Where people failed, we re-engaged them to complete training again.

We circulated monthly newsletters featuring the latest phishing tactics and practical tips. These communiqués kept the topic fresh in everyone’s mind. We reinforced the difference between Spam and Phishing, as a high percentage of people outside of cybersecurity get these two confused.

To encourage proactive behaviour, we introduced a rewards system for reporting phishing attempts. This step significantly increased engagement and vigilance.

The campaigns led to a marked decrease in successful phishing attacks. More importantly, it fostered a culture where cybersecurity awareness became a shared responsibility.

You may have different experiences, and some things to add, get in touch and let me know what you would add here.