Considering Culture in Your Cyber Strategy

Posted on by Marco Túlio Moraes

The position of CISO has been transformed to be less a technologist and more a business executive, which means pragmatism is now flooding our way of thinking and doing. We are strategically thinking, setting, aligning, and executing a plan like other business executives. But, like many other executives, we are forgetting the organizational culture.

In a 2018 article published in Harvard Business Review, the authors write, “Culture is the tacit social order of an organization: It shapes attitudes and behaviors in wide-ranging and durable ways. Cultural norms define what is encouraged, discouraged, accepted, or rejected within a group.”

The organizational culture can be an asset or a barrier to any security strategy. The recipe to use it as a barrier is easy: Define your strategy, justify it by any critical cyber issue, and run over the way the company does things for the sake of the organization.

On the other side, leveraging culture as an asset demands first understanding that results are compounded by the journey itself. They are not achieved in a vacuum, so investing in the process that will lead to those results demands energy, patience, and above all, being a person who likes people. We need to understand the way things happen and adapt.

Try implementing rigid processes and policies in a startup, punishing insecure behaviors in a collaborative organization, or pushing fast and outnumbered changes in an environment that values status quo maintenance. Things are not going to happen, and you will be seen as someone that is not part of the organization.

Three Considerations for Leveraging Culture in a Security Strategy

  1. Map the Environment

    The best way to understand how people get things done in the organization will require listening, watching, speaking, reading, writing, replying, and all sorts of communication-related skills.

    It is also useful that you have some notion about what you are trying to detect and some cultural tools and frameworks like the Culture Alignment Framework that can help you understand the way people communicate and relate to each other, how they react to change, how they lead and make decisions, and the way they trust.

  2. Define Your Vision and Start the Awareness

    If you did your homework understanding the business, connecting to people, mapping people’s expectations, discovering challenges, and identifying clear values that security will bring to the organization, then you must set your proposed vision and raise awareness about it, leveraging the already learned values, traditions, norms, and unwritten rules.

    This is the moment to solidify or change shared assumptions and perceptions about your vision, get feedback, and review that the path you want to follow is the right one for the organization.

  3. Engage, Collaborate, Build, and Execute the Plan

Once you get people engaged, start collaborating, developing, and executing the plan. If you are still connected to people and let them develop and execute it together, then you have more chances to deploy something sustainable. Culture is not doing things your way or the way that you understand how a company does things, but the way that people outside of infosec do things in the organization. It is a diversity of thought and knowledge coming to the table.

Be patient

Bear in mind that regardless of its urgency, implementing a security program is only sustainable if it is influencing the organizational culture to the core. It involves patience, education, and live engagement. Keep learning about the organization since culture is an ever-evolving process, as your plan should be.


Human Element

security awareness security education professional development & workforce

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs