Skip to main content

Part 3: Cyber risk and business culture: Can you assess the two?

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)

By Dean Chapman | March 12, 2021

Does the level of attention applied by your senior management correlate with the likelihood of cyber events?

Our opening articles introduced a crucial question for business leaders – does the level of attention applied by your senior leadership and management teams correlate with the likelihood of cyber events, and facilitate effective cybersecurity within your business?

When cyber security is discussed, it is often assumed that it is a concern to be addressed by the Information Technology (IT) or Information Security (IS) team alone. These teams are sometimes treated as “invisible” parts of the business. Worse, they often assume responsibility for the security of an organization within the cyber ‘space’ by default.

While that might be true for a majority of organizations in terms of the day-to-day management of IT security, cyber is not simply an IT problem. Global businesses are, in some form, dependent upon ‘cyber’ to support their ability to operate efficiently in an increasingly connected world. Cyber means many different things to leaders, teams and individuals within an organization. Cyber security might be considered a boring subject by an organization’s workforce, but the reality is that cybersecurity is everybody’s problem and we should all be invested and engaged in it.

Cyber, and cyber risk more specifically, should be considered by leaders to be among the most critical of business priorities. As there have been numerous examples of severe, often devastating, business impacts associated with cyber security incidents, leaders must understand that the longevity of their organization will possibly be dictated, at least in part, by the approach they take to building and nurturing a strong cyber culture – one that places the human element (i.e., the workforce) at its heart.

Components of cyber culture

What do we mean by cyber culture? There are many components to an organizations cyber culture, the first perhaps the most obvious – people. The ‘employees are your weakest link’ message is one used excessively within this industry; organizations are repeatedly told to spend more money on building and securing their ‘human firewall’. Where does an organization start with this process? More training, more policies, more rules? The simple message is that humans can and will make mistakes, 100% security does not and never will exist. Indeed, the sooner organizations, and specifically leaders, can appreciate that human mistakes will happen, the sooner they can take a measured and proportionate approach to managing risk. Human mistakes can include lack of management focus and poor decision-making, as outlined in our prior Management Attention series articles. Other factors that contribute towards an organizations cyber culture may include:

  1. Knowledge and resources: Do leaders know how to identify, assess and reduce people-related cyber risk (alongside the more traditional technology risks)? Would leaders consider the organization to be lacking in the skills and knowledge required to manage their level of cyber risk? Do leaders think current levels of investment are sufficient to meet the cyber threat(s) faced by their business?
  2. Return on Investment (ROI): Does the organization and its leaders place an emphasis on demonstrable ROI from cybersecurity spend? While people-related cyber controls offer little in the way of ROI when considered against more technological security controls, does the business lean towards a security posture and approach that offers more tangible returns? Is a focus on ROI distracting leaders from the true source of a majority of cyber security incidents, the people?
  3. Governance approach to cyber awareness and training: Do leaders take a governance-based approach to cyber security awareness? Is the workforce cyber awareness and training strategy built to satisfy the regulator(s) and achieve only compliance / adherence? If considered the bare minimum, are leaders confident that all parts of the business are equipped with the retainable knowledge required to effectively identify, report and respond to a cyber incident?
  4. Direction and guidance: Who set’s the cyber ‘tone’ within the business? Are leaders actively engaged with the workforce on a range of cyber matters? Do they encourage dialogue and are they open to new ideas and innovations from their team(s)?
  5. Communication and responsibility: In union with our point above, how effective is communication within the business? Have leaders established effective channels or methods of communication across the business? Leading by example, do leaders approach cybersecurity as a single and holistic challenge and is the strategy, at both tactical and strategic levels, a cross-functional one that draws upon each part of the business, not just the IT team?
  6. Cognitive biases: How are leadership decision-making processes (regarding cybersecurity) influenced by factors both internal and external to the business? It is said that our decision-making abilities are shaped by our experiences and our environments. For business leaders, how is imperfect decision-making impacting cyber security? As humans (and groups of humans) interpret and act upon information differently, does the business account for this when developing its cyber and risk strategies?
  7. Working environment: Have leaders considered if or where working ‘norms’ are heightening the presence of cyber risk? Are employees operating under constant pressure and / or working long hours to meet tight deadlines and business objectives? The events of 2020 have brought this issue into the spotlight, where the real threat of job losses led to resources working longer hours in order to maintain their positions. Hackers thrive in environments where employees are tired, stressed, fatigued and prone to making mistakes or ‘dropping their guard’. While business norms are difficult to change, have leaders worked to gain an awareness of where working environments are potentially putting people and the business at risk? If neglected, it could be leading to resentment, disengagement and general unhappiness amongst the workforce.

The above items, when discussed and considered together, will offer insight into what a cyber culture might look like.

Assessing and improving cyber culture

So, where do you start? Year-on-year statistics highlight the central role an organization’s people have to play in cyber security. Human error accounts for a majority of global cyber incidents and threat actors are likely to continue to exploit those ‘human’ vulnerabilities. It is no surprise, then, that we recommend that leaders initiate cyber culture improvement by starting with people.

In building an effective and responsive cybersecurity strategy, an organization must first look to understand the thoughts, opinions and perceptions of their workforce. By identifying potential problem areas and engaging employees across functions, levels and seniorities, leaders can build from a position of knowledge and strength. Armed with real-time insights and measurable metrics, these vital building blocks will act as a baseline for the development of a truly people-centric cyber security strategy.

Leaders should also work to understand whether the organizational cyber culture is aligned with business strategy. Leaders must understand how, when considered collectively, they may be influencing, for better or worse, the cybersecurity posture of the business.


An organization’s people and business culture will likely dictate how successful their cyber security strategies are in practice.

Leaders must engage with the workforce, taking steps to learn the ‘person’, their attitudes, thoughts and perceptions. Only then can they begin to take steps to really understand and strengthen, the cyber culture. By gaining an awareness of human factors along with technology factors, leaders can start to positively affect and change business norms, behaviors and, in turn, the culture within an organization.

Cybersecurity must be built around the people and the culture that make up the business, not vice-versa. Otherwise, the key component of culture - people - may be working to ‘nullify’ the efficacy of business security strategies.


(Cyber Risk) Lead Consultant, GB Cyber Risk Solutions

Contact Us