Cybersecurity culture

Shoring up your organizational governance and awareness

Shoring up your organizational governance and awareness

Posted by Monique Francois and Don Miller on September 22, 2015.

Security breaches are happening more than ever, creating multimillion-dollar risks and exposing invaluable personal data. Estimates from around the globe show data breaches are up nearly 50 percent,1 and a study done for McAfee in 2014 by the Center for Strategic and International Studies estimated the global economic cost of these breaches at more than $445 billion.2 Organizations are working to both increase security awareness and build or improve cybersecurity functions to protect their organization’s intellectual property, confidential information, and employee, customer, and contractor data. They should also be aligning their organization culture and talent to protect their company’s and employees’ information assets.

Effective cybersecurity may be structurally defined in a business, but it is culturally driven. Organizations should work to change the mindset that cybersecurity is just an IT responsibility—it’s everyone’s responsibility and should be rigorously encouraged across the entire workforce. Employee awareness should the first line of both governance (ownership) of and defense of organizational security. By investing in cybersecurity training and awareness with all employees, company data breaches may be reduced (and in many cases prevented), and the likelihood of an effective response when a breach occurs will increase.

What can be done to align your culture toward a cybersecure mindset?
Culture defined is a system of values, beliefs, and behaviors that shapes how real work gets done within an organization. An organization’s culture that allows for quick adoption of cybersecurity practices is one that has the following cultural elements:

  • A high degree of commitment, pride, and ownership in the success of the organization.
  • A strong sense of a shared belief toward protecting the organization’s confidential information as well as employees’ personal information.
  • A focused mission on information security compliance in day-to-day activities.

Beyond fostering cybersecurity, cultures with committed, engaged employees and shared beliefs can also see gains in other areas, such as productivity, profitability, and customer loyalty. Deloitte’s 2014 core beliefs and culture survey (Culture of purpose: Building business confidence; driving growth) reveals that “mission-driven” companies have 30 percent higher levels of innovation and 40 percent higher levels of retention, and they tend to be first or second in their market segment.

Building these qualities in your culture starts with identifying and assessing your organization’s cybersecurity values and then taking targeted action to cultivate cybersecurity via overarching governance and standardized, cross-department practices. The effort would typically include steps like leadership engagement and behavioral modeling, recognition and rewards, strategic communications, talent management, and training—a comprehensive, multi-point program to support and further cybersecurity.

A case in point: One organization’s response
A public sector organization recently fell victim to a security breach when an employee opened a phishing email. This allowed an external hacker access to the agency’s data system, affecting millions of user information records, and in turn, costing the organization millions. Root cause analysis indicated the breach was due to low awareness of enterprise-wide cybersecurity practices by the broader employee base.

Following the incident, the organization performed an assessment of its security capabilities, vulnerabilities, and workforce culture, and calculated the cost of the breach. Executives across the organization’s Security, Privacy and Human Resource divisions collaborated to execute the assessment and determine how the organization could benefit from an Information Security (InfoSec) program.

The need for improved security measures led to the development and implementation of a central InfoSec program for the entire organization, responsible for:

  • Cultivating a cybersecure culture focused on preventive practices in daily workforce actions
  • Performing risk assessments that evaluated security controls against a central InfoSec and Privacy control framework
  • Driving policy implementation guidance on adopting enterprise InfoSec and Privacy policies
  • Launching communication campaigns to create a common understanding and acceptance of the InfoSec and Privacy program
  • Facilitating end-to-end talent development plans for InfoSec and Privacy staff, including a statewide skills assessment survey, technical competency model, position descriptions, training framework, a career path toolkit, and organization InfoSec awareness workshops

Thanks to this interdepartmental partnership, the organization has fostered a cyber-aware, cybersecurity-driven culture that makes better-informed information security decisions and exhibits safer behaviors throughout its workforce.

Monique Francois is a director in the Organization Transformation and Talent Human Capital Practice of Deloitte Consulting LLP, where she guides companies through complex change—involving technology, process or new strategic direction. A trusted advisor to Public Sector and Fortune 100 clients, Monique focuses on the human capital aspects of organizations; integrating change and learning into complex business transformations.

Don Miller is a director in the Organization Transformation & Talent Human Capital Practice of Deloitte Consulting LLP, where he focuses on helping companies improve performance by building organization structures to execute new capabilities through their workforce.

Contributors: Ian Skelly, Tara Mahoutchian, and Pilar Jarrin

1 For example,, January 25, 2015.

Leave a Reply