A recent study by TechTarget’s Enterprise Strategy Group and the Information Systems Security Association (ISSA) showed that many Chief Information Security Officers (CISOs) believe that organizations have a long way to go in establishing appropriate cybersecurity cultures within their organizations. The concept of cybersecurity culture (CSC) is defined as the knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values of people regarding cybersecurity and how they manifest themselves in people’s behavior with information technologies. CSC encompasses familiar topics including cybersecurity awareness and information security frameworks, but is broader in both scope and application.
According to the study, CISOs believe that cybersecurity culture is inexorably linked to security best practices in threat prevention, detection, and response. When asked about improving their organization’s cybersecurity program overall, 60% of the CISOs surveyed stated that they should strive to create a better cybersecurity culture throughout the organization. This highlights the importance of cybersecurity culture as a necessary component for achieving an organization’s overall mission.
The research also reveals that getting executives and the board more involved in cybersecurity decision making and oversight, increasing the cybersecurity budget, and improving security hygiene and posture management are all components of a strong cybersecurity culture. It’s worth noting that while more than one-third of CISOs rate their organization’s cybersecurity culture as advanced, 34% claim their cybersecurity culture rates as average, and 30% rank their organization’s cybersecurity culture as fair or poor.
Unfortunately, this seems to highlight a disconnect between CISOs and other business executives when it comes to cybersecurity culture. The study also found that CISOs have often worked for organizations that knowingly ignored security best practices or regulatory compliance requirements. More than two-thirds of CISOs responded that they had worked for at least one such organization, compared with 57% of all other respondents.
The data indicates that fostering a strong cybersecurity culture is crucial for organizations to create a strong and healthy security program. The European Union Agency for Network and Information Security (ENISA) defines cybersecurity culture as promoting cybersecurity as a necessary component for achieving an organization’s overall mission. However, there is still a lot of work to be done in establishing appropriate cybersecurity cultures within organizations, as highlighted by the research findings.
Overall, the study emphasizes the need for organizations to prioritize cybersecurity culture in order to improve their cybersecurity program. This includes getting executives and the board more involved in cybersecurity decision making, increasing the cybersecurity budget, and improving security hygiene and posture management. With cybersecurity threats becoming increasingly sophisticated, a strong cybersecurity culture is a foundational element for organizations to ensure their security practices effectively prevent, detect, and respond to threats.