• United States




Cyber security culture is a collective effort

Aug 27, 20155 mins
IT Leadership

Book with culture written on its spine
Credit: Thinkstock

Cyber security involves many different technical and informational solutions that must be adopted and implemented to position an organization for the greatest chance of resiliency in a complex threat landscape. Technology is necessary in addressing cyber threats but it cannot work independent of complementary factors such as policy guidelines, information sharing on threats, and user awareness. 

Indeed, developing a cyber security culture achieves two important objectives: 1) it intertwines security practices with business operations in order to improve an organization’s security posture, and 2) it demonstrates that security is not a function relegated to an understaffed and underfunded IT department.

Establishing a cyber security culture advocates the need that everyone – including executive leadership and management – has an equal part in cyber security, which is essential for bolstering an organization’s resiliency. For this reason, when “employee” is used in this paper, it refers to all levels of individuals employed by an organization, not just workers.

If individuals are the weakest link of the cyber security chain, then it follows that cyber security must start on the individual level. Employees must be actively involved in an organization’s cyber security apparatus, as they will likely have access to many of the business’s computers, systems, and networks, and often will serve as the first line of defense in their protection. Executives are targets for their potential access to sensitive information; worker bees are similar targets for attackers to gain access into the network and elevate privileges so they can move laterally to find such information.  They both represent access roads to the same destination.

For this reason security training is best approached collectively. Many organizations require employees to undergo annual user awareness training. However, such training is often viewed as a compulsory necessity rather than an opportunity to inform and educate. Frequent interactive training will better prepare employees for the current threat trends, highlighting the tactics, techniques, and procedures used by hostile actors to gain unauthorized access into targeted systems.

[ ALSO ON CSO: Culture clash: How physical security is impacted by cultural norms ]

Furthermore, such training should bring in executives, management, and employees into the same room where they can share their experiences, thereby educating each other collectively on the types of threats they’ve personally experienced. This type of transparent dialogue connects the workforce as a unifying whole and provides insights into where there are strengths and weaknesses in security awareness.

The socialization of cyber threats among all levels of a company’s workforce reinforces the concept that cyber security is a shared endeavor. For example, social engineering and spearphishing e-mails that target one class of worker may not target another; yet it is imperative that everyone be cognizant of what they entail, how suspicious e-mails can be checked, and what should be done if they are received.

This instills the knowledge that each employee has a vested interest in safeguarding the organization by ensuring its sensitive information and accesses are preserved and maintained. 

It’s imperative that accountability and responsibility must not be viewed projected as burdens that punish employees or risk the impeding business operations for the sake of compliance. Rather they must be communicated as opportunities to strengthen an organization’s commitment to protecting information and accesses that support the goals of the business. 

A savvy and alert employee can be the impetus for proactively preventing an attack – the clicking on a malware embedded link in an e-mail – before it even has the chance to be initiated. Given the expenses incurred by organizations as the result of someone being duped into accessing hostile links or attachments, this is no small feat.

Communication is integral part in cyber security culture and a critical enabler for employees to become active in the organization’s security efforts. Communication takes several forms; it can be policy guidelines that are directed from executive leadership; it can be worker level individuals reporting potential security incidents prior to their execution; it can be security personnel informing the organization of new threats impacting the sector. 

With the advent of bring your own device to work and more organizations enabling employees to work from home, communicating the importance for employees to maintain robust security standards at home has potential work implications as well.  Therefore, educating them on acceptable online behaviors to include the types of information shared on social media will help employees reduce risks at both their residences as well as their places of work.

Many believe that cyber security culture starts from the top and works its way down.  While there is merit to this statement, I would argue that all stakeholders in the ecosystem create cultures collectively. 

“Culture” by one definition is “a way of thinking, behaving, or working that exists in a place or organization.” Executives can certainly lead a cyber security culture, but it must be built, developed, and supported by the entire organization for it to be successful. In this way, “we are all equal partners” becomes a reality, rather than a slogan. And it’s in everyone’s best interest.


Over the last two decades Brian Contos helped build some of the most successful and disruptive cybersecurity companies in the world. He is a published author and proven business leader.

After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents and is a fellow with the Ponemon Institute and ICIT.

The opinions expressed in this blog are those of Brian Contos and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.