Considering Culture in Your Cyber Strategy
The position of CISO has been transformed to be less a technologist and more a business executive, which means pragmatism is now flooding our way of thinking and doing. We are strategically thinking, setting, aligning, and executing a plan like other business executives. But, like many other executives, we are forgetting the organizational culture.
In a 2018 article published in Harvard Business Review, the authors write, “Culture is the tacit social order of an organization: It shapes attitudes and behaviors in wide-ranging and durable ways. Cultural norms define what is encouraged, discouraged, accepted, or rejected within a group.”
The organizational culture can be an asset or a barrier to any security strategy. The recipe to use it as a barrier is easy: Define your strategy, justify it by any critical cyber issue, and run over the way the company does things for the sake of the organization.
On the other side, leveraging culture as an asset demands first understanding that results are compounded by the journey itself. They are not achieved in a vacuum, so investing in the process that will lead to those results demands energy, patience, and above all, being a person who likes people. We need to understand the way things happen and adapt.
Try implementing rigid processes and policies in a startup, punishing insecure behaviors in a collaborative organization, or pushing fast and outnumbered changes in an environment that values status quo maintenance. Things are not going to happen, and you will be seen as someone that is not part of the organization.
Three Considerations for Leveraging Culture in a Security Strategy
Map the Environment
The best way to understand how people get things done in the organization will require listening, watching, speaking, reading, writing, replying, and all sorts of communication-related skills.
It is also useful that you have some notion about what you are trying to detect and some cultural tools and frameworks like the Culture Alignment Framework that can help you understand the way people communicate and relate to each other, how they react to change, how they lead and make decisions, and the way they trust.
Define Your Vision and Start the Awareness
Once you get people engaged, start collaborating, developing, and executing the plan. If you are still connected to people and let them develop and execute it together, then you have more chances to deploy something sustainable. Culture is not doing things your way or the way that you understand how a company does things, but the way that people outside of infosec do things in the organization. It is a diversity of thought and knowledge coming to the table.
Be patient
Bear in mind that regardless of its urgency, implementing a security program is only sustainable if it is influencing the organizational culture to the core. It involves patience, education, and live engagement. Keep learning about the organization since culture is an ever-evolving process, as your plan should be.
Originally published at https://www.rsaconference.com/Library/blog/considering-culture-in-your-cyber-strategy
