The CIO Diaries: Championing a Cybersecurity Culture

By 0
The CIO Diaries: Championing a Cybersecurity Culture
One of the priorities of the Chief Information (Security) Officer [CIO/CISO] is to drive employee cyber behavior. A single click of a malicious link by a naive employee could bring the whole organization to its knees, and the CIO spending sleepless nights to get operations back up.

While most CIOs and CISOs focus on key strategic areas such as reducing technology cost, increasing budget, enhancing processes and procedures, and providing regular training for the organization, a new cohort of CIOs are expanding their cybersecurity focus with another strategy. Creating a cybersecurity culture within their organizations and championing this culture of ‘safety first when in cyberspace’.

The integration of a cybersecurity culture into the organization’s culture will help to address employee cyber behavior. In this article, I describe how to champion a cybersecurity culture for your organization.


What is a cybersecurity culture?

Cybersecurity culture is the set of unwritten rules that surround cybersecurity. It represents the beliefs, attitudes, and values of an organization that drives employee behavior in protecting and defending the organization from cyber-attacks.

These beliefs, attitudes, and values are influenced by both external factors and internal factors. Some of the external factors include industry regulations, and personal experiences outside the organization and are usually outside of the control of the CIO.

The CIO however has control over internal factors that include: leadership from the CIO; regular compliance audits (regular phishing exercises, etc.); rewards and punishments for compliance and/or non-adherence; knowledge transfer; training; and regular communications using effective channels. This may include regularly disseminating news on recent attacks in the world and how employees can help to stay safe from becoming potential victims, and better protect the organization.

Culture is difficult to identify, develop, and measure for success. Your cybersecurity culture hence needs a good strategy to succeed.


Strategy for a strong cybersecurity culture

The CIO’s strategy for a strong cybersecurity culture will need to be tacit. It will usually span two continuums: top management and employees.

1.      Top management

Top management includes those with major budget influence including the Chief Marketing Officer (CMO), Chief Finance Officer (CFO), Chief Risk Officer (CRO), Chief Executive Officer (CEO), and the Board of Directors. Your ability as a CIO to influence the C-Level and eventually the Board will propagate a strong cybersecurity culture within the organization. Influencing at the C/Board-level demands that the CIO should exhibit deep communication skills and understand the following facts:

·        Security is most likely not the core business of your organization

·        Your C-level stakeholders have Key Performance Indicators (KPIs) to meet that are bottom-line oriented

The key to success at this level is to build trust among the stakeholders. One way of building trust is to report on the success of existing cybersecurity investments as it relates to the bottom line. Then create a storyline regarding cybersecurity culture that speaks to the C/Board-level and their world. It is important for your story to explain how a strong cybersecurity culture impacts the bottom-line and enhances the growth potential of the core business.


2.      Employees

At the employee level, the CIO needs a more collaborative approach to ensure that employees feel a sense of ownership. One way to accomplish this is to recruit cybersecurity champions or evangelists who will propagate the security culture across their various departments and provide feedback on the success of the program.


Recruiting Cybersecurity champions

In recruiting cybersecurity champions, it is important to recruit naturally security-conscious persons who understand the impact of information security breaches on their work, and on the organization’s bottom-line and reputation. You may know this from the high performers of your regular information security audits/exercises.

Your cybersecurity champions should also exhibit awareness and knowledge in the following areas:

·        Self-awareness regarding the actions that enhance security

·        The organization’s laid down policies and procedures that must be followed

·        Cyber and information security-related behaviors and practices expected of every employee

·        Awareness of the overall threat landscape and staying informed



In designing a successful cybersecurity culture, the role of top management (C/Board-level) cannot be underestimated. Top management buy-in and participation are critical to driving commitment from all employees. Your goal as a CIO is to influence the priorities, participation, and overall Knowledge (P.P.K) of the C suite regarding cybersecurity.

Another recipe for success is the recruitment of cybersecurity champions across all departments. To ensure minimal insider threat, the selection of your team of champions could also consider competence (what the person can do) and access (what resources the person has access to).

As businesses finally recognize that cybersecurity is a business enabler, a strong cybersecurity culture will impact operations (the bottom-line), create brand loyalty, and competitive advantage. Additional benefits may be explored from intentionally building cybersecurity considerations into projects that are not necessarily delivering cybersecurity.

Finally, the CIO must have a way to monitor the success of the cybersecurity culture along both communication lines (Top management and employee) and the impact on the organization.


About the Author

Kwadwo Akomea-Agyin is a seasoned business professional with 12+ years of progressive experience in consultative business development, product, and digital transformation solutions. He has a unique ability to understand the market (i.e. buyer and user requirements) and collaborate with key internal stakeholders to translate such business needs into Unique Value Propositions (UVPs) that can be successfully delivered.

Member, Institute of ICT Professionals Ghana (IIPGH)

For comments, contact Kwadwo on WhatsApp: +233544341374 | Email: | Skype: Kwadwo_2010