Creating a Cyber Security Culture: 7 Lessons From EH&S

Cyber-attacks are a rapidly escalating threat and companies face a significant challenge in managing their risk. While many of these challenges are of a technical nature, a significant number of them are created by employee and manager actions and inactions. These actions and inactions tend to be rooted in culture, or ‘how things get done around here.’

The best performing safety companies have learned several lessons about creating high performing safety cultures. These lessons should easily be applied to cyber security.  

1.  Build a Cyber Security Culture: Culture happens by design or default.  Organizations are better to design it than to let it happen on its own.  The implication is that each enterprise needs to define what a ‘good’ cyber security culture will look like and then develop a plan to achieve it.
2. What Leaders Say & Do Matters: Leaders set the tone for cyber security by their actions and inactions.  Therefore, leaders need to be able to establish and communicate clear expectations for their teams to support strong cyber security behaviors and outcomes.
3. Establish a Cyber Security Management System: Management systems provide a comprehensive framework for cyber security expectations and accountabilities. These systems establish a systematic way to define, evaluate and prioritize cyber risk and making improvements along the way.
4. Management Review: Leaders must monitor and measure cyber security performance.  Management review allows a systemic way to provide feedback, intervene when necessary and improve performance.  Reviews include both leading and lagging indicators.
5. Define employee behaviors: Be clear what will be expected from employees, communicate those expectations and regularly review performance.  Be ready to provide direct ‘nudges’ to achieve desired outcomes. Consider codifying cyber security requirements into a set of ‘golden rules’ to improve consistency of communications and reinforcement of desired behaviors
6. Identify Cyber Sensitive Jobs: Know the vulnerabilities for cyber security and identify which roles are accountable for protection against those vulnerabilities. Make sure that the protections are ‘healthy’ and the employees ‘competent’ to perform their cyber security roles.
7. Manage contractors as a partner: Contractors and third parties present unique vulnerabilities in cyber security. Make sure that there are proper contractual terms, contract ‘owners’ to manage the terms, and supplier performance reviews to ensure third parties are meeting their cyber security obligations.