Cybersecurity Culture – What does it mean?

The term „Cybersecurity Culture“ appears to be very much en vogue at present. I have myself participated in several panel discussions over the last year that specifically addressed this topic. But what does it mean?

I have been mulling this over for quite some time now and would now like to ask you, dear reader, to reflect on my thoughts and provide feedback. Perhaps together we can come to a clearer picture of where we stand, anywhere we need to go next.

Today, Cybersecurity Culture is very much interpreted to be the art of getting our users/employees to act in a manner that is appropriate to an organisation‘s risk profile. This is done through training and tooling, to elicit the desired method of behaviour from the subjects, i.e. the users or employees. It is generally implemented as a Cybersecurity Awareness Programme, applicable to the general populace of the organisation.

But is that really a „culture“? And is it even the right approach?

I’ve been mulling over this topic for quite some time now and there are essentially two parts that I think need addressing:

  • First, the question is, is cyber security culture a separate topic, or does it need to be integrated in the overall culture of an organisation? In fact, should we rather be talking about a Cyber-Secure Organisation Culture, rather than an Organisation Cybersecurity Culture?
  • The second part is, whether this one-size-fits-all approach is the most efficient in achieving the organisations goals? Would it perhaps not be better, to have several sub-cultures within the organisation that then outlined the values, beliefs, and actions of different groups of people, e.g. managers, knowledge workers, developers, or front office staff?

I believe that there are still many aspects of this topic that can, and need, to be explored. This is what I will be focusing on in the next few articles. In doing so, I would like to reflect upon not just my own opinions, but also on those of the community in general.

So, dear reader, please share your views and opinions on this topic. The more views we have, the more we can reflect upon them in our discussions and in the articles to come. So please don’t hesitate in providing your own opinion on this topic in the comments below.