Leading Change: Creating a Culture of Cybersecurity

By Ryan Barton | February 4, 2020

We all know we need to do more to address cybersecurity threats. Most of us have a sense of why— we are connecting more devices that can be hacked, generating more data, and living on a global Internet that is growing by a million people per day worldwide. We may even have a grasp of what. Access to helpful articles is mounting. Extensive resources such as the NIST Cybersecurity Framework are available for free at nist.gov.

The pressing question is often: how? Amid our daily demands, resistance from corporate culture, limited budgets, and overworked IT resources, how do we actually impact security? The challenge is that security is not a tool and it’s not an initiative. It’s an ongoing, holistic discipline. And that requires change. Change is never easy. And effective change must always be led.

With thanks to John Kotter, author of the seminal book, “Leading Change,” the following steps can guide an organization through the hard business of making themselves more secure:

1. Establish a sense of urgency.

Take a moment and write down everything that could happen by not addressing cybersecurity. Data breach. Loss of clients. Terrible PR. Downtime. Incident response costs. Distraction from the business. Loss of client confidence. Today, not having a mature cybersecurity model often means not getting a more sophisticated client in the first place, as prospects are doing due diligence on the company’s security practices with greater regularity. Dwell on these risks for a moment.

Communicate with other team members, managers, and leaders in your organization to spread this sense of urgency.

2. Create your team.

Change cannot be addressed alone. We recommend that cybersecurity risk is managed and reported on at the leadership level, the same as financial or legal risk. Leaders within the organization need to be on the same page about the reality of this risk and have the wisdom to mitigate it.

The team must expand to include expertise in information security (organization-wide practices) and expertise in IT security (technical controls). Assess your organization and its current leaders: Do you have the depth of expertise and availability that gives you confidence? Do you have both information security and IT security competence in enough degrees, or at least have staff with the time, commitment, and attention to detail to learn all they need? If not, engage with those who have the experience and knowledge to work with you through this. Keep in mind: this is not an IT responsibility. IT plays an important part but asking IT to lead Information Security rarely works.

3. Develop vision and strategy.

Your vision should be full compliance with all laws, ability to answer client and prospect requirements, and defense against all relevant attacks. This requires defense-in-depth, which means multiple layers are maintained and monitored on an ongoing basis with governance in place that facilitates the evolution of this model over time. Note that a risk assessment is a great place to start to both establish urgency (#1), develop a vision, and inform your team. It is a holistic review of data security practices, IT practices, compliance requirements, and in-depth technical tests and reviews.

4. Communicate the change vision.

Communicate with shareholders, managers, and the full team. Emphasize the why, explain the what, and guide them through the how. Our experience is that employees are quick to adopt new security practices with not just training, but context. Develop a team-wide understanding of the actual risks, the potential impact to each individual, and the company.

5. Budget separately.

Information Security costs should not go in the “IT” budget line item. In large organizations, the Information Security & Compliance team is a separate team, with separate responsibilities and budget. Regardless of your organization size, create a separate line item for Information Security. It is a new risk, and it will require new costs to overcome.

6. Generate immediate wins.

Once you have your urgency, team, vision, culture, and resources in alignment, you are primed to generate quick- wins. Many high impact security layers take very little time. In the first one to- three months, expect meaningful risk reduction and change in the culture. Identify clear and easily identified measures that convey momentum and track progress.

7. Transition to ongoing governance and produce more change.

After the first three months, move into an “ongoing governance” model, generate a multi-year plan, and track progress. Gather the team every three months, or perhaps more often at the outset, and review both current controls and progress towards the ideal.

8. Anchor security in your culture.

Work across all managers and employees to anchor and evolve security in the culture. Ensure new processes are being followed and reward good security behavior. If you have an HR team, work with them on screening, training, expectations, and disciplinary actions. Evolve the training program every year and talk about security at all staff meetings. Intertwine good security deeply with your culture in as many rhythms and communication methods as you can.

With the news of breaches making headlines, it can be easy to feel like cybersecurity is a hopeless battle — it isn’t. While no one is invulnerable, effective change leadership can turn cybersecurity into a managed risk that’s just another part of the business and culture.