How to create an organizational cybersecurity culture [Free Whitepaper]

Organizations struggling to obtain a company-wide commitment to cybersecurity vigilance can get help from a new resource produced by CompTIA, the nonprofit association for the information technology (IT) industry and workforce.

Embedding Cybersecurity Into Your Culture," a CompTIA whitepaper, presents a path to make cybersecurity an essential element in an organizational culture by leaning into the company's existing culture. The whitepaper draws on the cybersecurity expertise of CompTIA volunteers from across the globe representing all sizes and types of businesses in the IT services industry.

"The greatest chance of success in getting people to change their behaviours, embrace their role in security and embed cybersecurity into an organization's culture is for them to lean into existing core values," said Wayne Selk, vice president, cybersecurity programs, CompTIA.

"This whitepaper can help any organization identify its values and strengths, along with recommendations on how to leverage those strengths to integrate cybersecurity into the overall company strategy."

Building a cybersecurity culture starts at the highest level with executive buy-in and commitment. Incorporating security culture into the organization's mission statement is a clear signal that leadership is committed to providing support and resources for organizational behaviour change.

"You don't have to rewrite your culture," the whitepaper states. "Use your culture to implement cybersecurity…. By leveraging your existing values, you can intertwine your culture and cybersecurity. If you have a healthy culture (supportive, inclusive, diverse, allows for mistakes) then you should be able to have a cybersecurity-first mindset."

Once the commitment to create a cybersecurity culture is made, several actions follow, including:

  • Identify security champions to communicate the vision as well as relay back to the security team what they hear from the various teams and users.
  • Choose a "clarifying event" to explore and discuss conflicting practices and policies with the goal of reaching a consensus on what's best for the organization.
  • Use tabletop exercises to educate and engage staff in cybersecurity best practices.
  • Create documentation and processes that are easily accessible and updated as events warrant to reinforce the commitment to a cybersecurity culture.

The CompTIA whitepaper is available at Embedding Cybersecurity Into Your Culture, while this CompTIA Blog article provides more insight into creating a cybersecurity culture.