Tricia Griffith, CEO of Progressive, the large insurance provider, said: “With the right people, culture, and values, you can accomplish great things.” [1]

Several excellent analogies can be used to describe the global challenge we face in cyberspace. We can describe it as modern piracy, given the history of piracy impacting so many people while it was rampant, its criminal nature, and its use in proxy wars between the great naval powers of the 17th and 18th centuries. It could be thought of as similar to infectious disease, given how often software viruses are proximate to fraud and sabotage and how wide-spread and destructive these viruses are and how they spread through contact. It can be considered akin to unbridled marketplace competition as perhaps the emerging industrialists envisioned their battlefield in the 18th and 19th centuries. And, of course, it can be thought of more directly as outright war, where skirmishes and battles are fought by and for nation states with catastrophic collateral damage being inflicted on citizens the world over.

In each case, the common first step in fighting back is to change the culture. Whether it’s to band governments together to defeat a common enemy, create a public/private cooperative, or develop a sense of civic duty through education and public discourse, causing a culture change is often the first step in turning the tide.

With that as the backdrop, let’s think about how we’re doing in this culture change we know we need. ISACA® and the CMMI Institute tapped the power of their combined community to look at how we’re doing at developing and adopting a cybersecurity culture. The 2018 ISACA/CMMI Culture of Cybersecurity Research looks at more than 30 data points, and with almost 5,000 respondents over small, medium and large organizations, this survey is extremely valuable at helping us assess where we are.

To make the shift we need requires three distinct steps or phases. First, we need to create awareness of the problem in a way that makes it real to the entire workforce. It needs to be personal. People need to understand why it matters, not just to their organization, but to them. Next, teach people basic self-defense. They need to know what they should do to protect themselves.  Then finally, we need to develop within the workforce a sense of unity of purpose and make real to them the shared outcomes we want to achieve.

From the research, we see that 87% of respondents believe that establishing a stronger cybersecurity culture will improve profitability or viability. We also learn that almost 8 in 10 believe those without such a culture experience more breaches and more than 7 in 10 think they would be more susceptible to phishing. I think this is great; it means we are motivated to make the changes we need to the cyberculture we have, and we believe it is essential to the organization, not the regulators, that we do so.

Coming back to our three steps, we also see from the research that fully 96% of respondents already have or expect to have employee training in place by the end of next year. We can assume then if you are reading this you likely have a program in place. Most importantly, the topic most often addressed is cyber risk awareness, cited by 8 in 10 respondents. Your task now is to make sure this awareness program establishes the connection for the workforce of how cyber hygiene impacts them personally. You’re not alone. Barely 3 in 10 believe their workforce understands their role in cybersecurity completely or very well.

Conversely, around 5 in 10 believe they somewhat understand their role and almost 2 in 10 (19%) fall into the not at all and minimal categories. I think we need to move a good many people from “somewhat” to “very well” to create the momentum we need toward a sense of unity around the outcomes we want. 3 in 10 can’t well create a draft for their teammates, but perhaps 6 or 7 in 10 can. We agree this is important, 41% of respondents agree that the lack of employee buy-in or understanding is the most critical inhibitor for achieving the desired cybersecurity culture.

Of course, measuring our progress is essential. First, make the tweaks to your program to make it personal to all workers. Then, add regular assessments to gauge how the workforce is responding. Less than 3 in 10 organizations do that now. Moving the bar on this metric will significantly improve the effectiveness of your cybersecurity awareness program. Engage with the workforce, measure phishing click-throughs, reward successful outcomes, and make sure you have consistent executive sponsorship. If executive management can motivate the workforce to improve product quality and increase sales, they can certainly accomplish the great things that Ms. Griffith believes a great culture can achieve by driving a change in the cybersecurity culture.

1. Tricia Griffith Quotes., Xplore Inc, 2018., accessed September 27, 2018.

This article was originally published in ISACA in October, 2018