Fostering a strong cybersecurity culture is recognized by those in the profession as a foundational element of creating a strong and healthy security program. However, recent research by TechTarget’s Enterprise Strategy Group and the Information Systems Security Association (ISSA) found that many CISOs believe that firms have a long way to go in establishing appropriate cybersecurity cultures within their organizations.
Just what is cybersecurity culture? The European Union Agency for Network and Information Security (ENISA) offers the following definition:
“The concept of cybersecurity culture (CSC) refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values of people regarding cybersecurity and how they manifest themselves in people’s behavior with information technologies. CSC encompasses familiar topics including cybersecurity awareness and information security frameworks but is broader in both scope and application, being concerned with making information security considerations an integral part of an employee’s job, habits, and conduct, embedding them in their day-to-day actions.”
In other words, a cybersecurity culture promotes cybersecurity as a necessary component for achieving an organization’s overall mission. Indeed, the research reveals that CISOs believe that cybersecurity culture is inexorably linked to security best practices in threat prevention, detection, and response. When asked how they could improve their organization’s cybersecurity program overall, 60% of the CISOs surveyed stated that they should strive to create a better cybersecurity culture throughout the organization, as compared with 42% of all other respondents.
It’s worth noting that CISOs also believe that their cybersecurity program could be improved by getting executives and the board more involved in cybersecurity decision making and oversight, increasing the cybersecurity budget, and improving security hygiene and posture management – all of which are components of a strong cybersecurity culture.
Most CISOs see need to improve cybersecurity culture
The data also points toward work ahead. While more than one-third (36%) of CISOs rate their organization’s cybersecurity culture as advanced (slightly higher than all other respondents), 34% claim their cybersecurity culture rates as average. Alarmingly, 30% aren’t nearly as positive, ranking their organization’s cybersecurity culture as fair or poor.
Given the importance of cybersecurity culture, the data seems to indicate a disconnect between CISOs and other business executives. Unfortunately, this appears to be an occupational hazard for CISOs. When asked if they had ever worked for an organization that knowingly ignored security best practices or regulatory compliance requirements, more than two-thirds (68%) of CISOs responded that they had worked for at least one such organization, compared with 57% of all other respondents.