Strategies for Security Leaders: Building a positive cybersecurity culture

Culture is a catalyst for security success. It can significantly reduce cybersecurity risks and boost cybersecurity resilience of any organization. Culture can also greatly enhance the perceived value, relevance and reputation of the cybersecurity function.

So how can security leaders develop a positive brand and culture for cybersecurity? Listed below are some recommendations and best practices:

1. Understand the prevailing culture and context

To understand why the workforce behaves in a certain way about technology and security, it is important to understand the prevailing cultural context. For example, any regional cultural differences, the particular industry sector, the underlying company structure, the lack of awareness and knowledge of security norms, and conflicting business priorities, can all weigh on any planned change to team culture and security behaviors.

2. Set the right tone for culture to develop

Traditionally, the security function has been perceived as the department of “no.” Therefore, the primary goal of the security team must be to replace this rules-bound, inflexible, autocratic perception of the security function to one that is open, transparent, positive, creative and collaborative. Switch from saying “No” to “Yes, allow me to explain how to do this in a safer way.” Make promises, not threats.