Improving cybersecurity culture: A priority in the year of the CISO

Fostering a strong cybersecurity culture is recognized by those in the profession as a foundational element of creating a strong and healthy security program. However, recent research by TechTarget’s Enterprise Strategy Group and the Information Systems Security Association (ISSA) found that many CISOs believe that firms have a long way to go in establishing appropriate cybersecurity cultures within their organizations.

Just what is cybersecurity culture? The European Union Agency for Network and Information Security (ENISA) offers the following definition:

“The concept of cybersecurity culture (CSC) refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values of people regarding cybersecurity and how they manifest themselves in people’s behavior with information technologies. CSC encompasses familiar topics including cybersecurity awareness and information security frameworks but is broader in both scope and application, being concerned with making information security considerations an integral part of an employee’s job, habits, and conduct, embedding them in their day-to-day actions.”

In other words, a cybersecurity culture promotes cybersecurity as a necessary component for achieving an organization’s overall mission. Indeed, the research reveals that CISOs believe that cybersecurity culture is inexorably linked to security best practices in threat prevention, detection, and response. When asked how they could improve their organization’s cybersecurity program overall, 60% of the CISOs surveyed stated that they should strive to create a better cybersecurity culture throughout the organization, as compared with 42% of all other respondents.

It’s worth noting that CISOs also believe that their cybersecurity program could be improved by getting executives and the board more involved in cybersecurity decision making and oversight, increasing the cybersecurity budget, and improving security hygiene and posture management – all of which are components of a strong cybersecurity culture.

Most CISOs see need to improve cybersecurity culture

The data also points toward work ahead. While more than one-third (36%) of CISOs rate their organization’s cybersecurity culture as advanced (slightly higher than all other respondents), 34% claim their cybersecurity culture rates as average. Alarmingly, 30% aren’t nearly as positive, ranking their organization’s cybersecurity culture as fair or poor.

Given the importance of cybersecurity culture, the data seems to indicate a disconnect between CISOs and other business executives. Unfortunately, this appears to be an occupational hazard for CISOs. When asked if they had ever worked for an organization that knowingly ignored security best practices or regulatory compliance requirements, more than two-thirds (68%) of CISOs responded that they had worked for at least one such organization, compared with 57% of all other respondents.

CISOs want more cybersecurity leadership from business executives and their own teams

As part of the survey, respondents were asked for suggestions on how their organizations could improve their cybersecurity culture. While CISO recommendations were often similar to other cybersecurity professionals, CISO responses stood out in some areas. For example, CISOs want security teams to become involved in all business planning, so they can build threat models and implement the right controls. They also want business managers to be held more accountable for cybersecurity within their business units, making them pseudo business information security officers (BISO) with the security team’s support. This may be a bit of skill set stretch, but it’s safe to say that CISOs want to meet business managers halfway, aligning specific business processes with the right risk mitigation, cyber defenses, and monitoring oversight.

In aggregate, CISOs are suggesting that the rest of the organization take cybersecurity much more seriously, especially executives and the board of directors. It is worth noting that CISOs aren’t simply blaming others for cultural deficiencies. In fact, 40% want to increase their personnel’s level of involvement in guiding these changes with corporate boards. This alone speaks to CISOs’ dedication to their mission.

Clearly, cybersecurity culture depends on strong leadership from business executives. Unfortunately, the data suggests that relationships between CISOs and corporate boards are mixed. When asked how they would characterize their working relationship with the board of directors, 40% of CISOs said fair or poor – a harmful and risky situation. To rectify this, 60% of CISOs recommended increasing CISO participation with executive management and corporate boards, including in all business planning and strategy.

The Enterprise Strategy Group and ISSA research reveals two contrary and concerning conditions:

1. CISOs believe that a strong cybersecurity culture is a best practice that can greatly aid in their mission to prevent, detect, and respond to cyber-threats in a timely and effective manner.
2. Many organizations’ cybersecurity culture lags where it should (and needs to) be.

While CISOs seem ready to act as change agents, they may get some external help in driving this cause. New regulations like the latest SEC rules on cybersecurity risk management, New York State department of financial services rules (23 NYCRR 500), and the impending NIS2 directive from the European Union place additional cybersecurity requirements on businesses that include board of directors’/executives’ responsibilities and cybersecurity cultural imperatives.

It’s safe to assume that between constant cyber threats, financial losses, and these new regulations, many organizations will make cybersecurity cultural improvements a priority in 2024 and beyond. This puts CISOs in the hot seat, but the research indicates that most will welcome this step in the right direction.