Published on January 4th, 2025
Introduction
As cyber threats become more sophisticated, organizations are putting greater emphasis on cybersecurity training and awareness. People—their decisions and actions—have long been the weakest link in cybersecurity. Many experts believe the solution lies in fostering a cultural shift throughout the organization. Building a strong cybersecurity culture not only empowers every employee to take responsibility for security but also strengthens the organization’s defenses, ensuring long-term growth and trust. This article discusses how to create such a culture by focusing on clear policies, employee engagement, and leadership involvement.
Building the Foundation: Comprehensive Cybersecurity Policies
The first step in creating a cybersecurity culture is establishing clear and effective policies. These should outline acceptable behavior, including guidelines for network security, access controls, and communication standards. According to Erez Tadmor, field CTO at Tufin, these policies need to be easily accessible and understandable by all employees. “When security teams align with these guidelines, it fosters a sense of unity and responsibility that becomes part of the company’s culture,” he says.
By setting clear expectations, these policies ensure that employees understand what behaviors are needed and provide consistency across the organization. This foundation helps everyone work toward common security goals.
Promoting Ownership and Accountability Across All Levels
Amanda Satterwhite, managing director of cyber mission and enablement at Accenture Federal Services, emphasizes the need to encourage ownership of cybersecurity at every level of the organization. One way to achieve this is by assigning specific security roles within teams or departments.
Furthermore, recognizing and rewarding employees who follow strong cybersecurity practices is essential. Satterwhite recommends incorporating security performance goals into annual reviews. “Setting minimum security performance goals helps foster a culture of accountability,” she explains. This ensures that everyone understands their individual responsibility for protecting the organization.
Leadership Involvement and Cross-Organizational Collaboration
For a cybersecurity culture to thrive, leadership must set the example. Jennifer Sullivan, a principal at Deloitte’s cyber strategy practice, suggests that C-suite executives, including the CEO and board members, should actively integrate cybersecurity into the organization’s strategy. It is also important for departments such as IT, legal, HR, finance, and operations to collaborate and address evolving cyber threats together.
By providing continuous education and support, organizations can ensure that cybersecurity is viewed as a shared responsibility, rather than just the job of one department. Engaging employees at all levels reinforces the idea that cybersecurity is everyone’s responsibility.
Creating a Cybersecurity Culture: Employee Engagement and Training
Employee engagement is crucial to maintaining a strong cybersecurity culture. Liberty Mutual Insurance is an excellent example with its “Responsible Defenders” program. This initiative teaches employees about their role in protecting sensitive information. With 45,000 employees globally, Liberty Mutual uses various methods such as social engineering exercises, gamification, blog posts, and videos to keep staff involved in cybersecurity training throughout the year.
The program is regularly updated to reflect the latest cyber threats. Employees also participate in phishing simulations, and those who fail the test receive real-time training on identifying suspicious emails. “We also offer a ‘Friends and Family Cyber Guide’ for employees to share, helping extend cybersecurity awareness beyond the workplace,” says Jill Areson-Perkins, cybersecurity manager at Liberty Mutual.
Through this ongoing engagement, Liberty Mutual ensures that cybersecurity becomes a shared responsibility throughout the organization.
Making Cybersecurity a Business Imperative
One mistake many organizations make is treating cybersecurity as a standalone initiative. Sullivan warns that cybersecurity must be recognized as a critical business priority, integrated into the broader organizational strategy. This requires the attention of the board and executive leadership.
By embedding cybersecurity into the company’s core values, businesses ensure that it is prioritized at every level. This alignment helps allocate resources effectively, fostering a proactive approach to risk management and creating a culture where cybersecurity is a central focus.
Maintaining the Culture: Continuous Learning and Adaptation
Building a resilient cybersecurity culture is an ongoing process. According to Tadmor, maintaining this culture requires continuous learning. Cybersecurity must become part of daily routines rather than a series of isolated initiatives.
Regular training, clear communication, and real-time monitoring are all essential for keeping the culture alive and responsive to emerging threats. By making cybersecurity a shared responsibility, companies can build a security posture that is flexible and adapts to the evolving digital landscape.
Clear Communication and Messaging
Effective communication is essential when fostering a cybersecurity culture. Satterwhite cautions against using technical jargon or buzzwords that might confuse employees. Instead, cybersecurity campaigns should be simple, clear, and relatable. “Cybersecurity messages should be practical and easily understood by everyone,” she says.
Using familiar, company-specific language ensures that employees grasp the importance of securing company assets and are motivated to take action.
Conclusion
Creating an enterprise-wide cybersecurity culture is critical in today’s rapidly changing digital world. By prioritizing cybersecurity and integrating it into the organization’s core values, businesses can turn vulnerabilities into strengths. Clear policies, leadership involvement, employee engagement, and ongoing education are essential for building a culture of ownership and accountability.
As cyber threats continue to evolve, maintaining this culture requires continuous effort, collaboration, and adaptation. When cybersecurity becomes deeply ingrained in every aspect of an organization, it becomes a shared responsibility, empowering employees and strengthening the organization’s resilience against cyber threats.
