- About 95% of organizations believe there is a minor or significant gap between their current and desired cybersecurity culture, according to ISACA's Cybersecurity Culture survey of about 4,800 international business and technology professionals.
- About 80% of organizations are currently undergoing employee training and communicating behavioral policies to improve their cyber culture. Obtaining cybersecurity certifications for cyber professionals is less of an immediate priority. Half of respondents plan to pursue certifications over the next 12 months.
- Desirable cybersecurity culture is prevented by a lack of employee buy-in for 41% of organizations and disparate business units for 39% of organizations, according to the report.
The human part of cybersecurity is as important as the tech side. But nothing can get done without cultural buy-in.
Employees sometimes stand as the only line of defense if a phishing email gets missed by a filter. Less than 10% of cybercrimes occur outside of email, making an untrained or negligent employee a prime target for malicious actors. Cybersecurity experts will always include employee training and awareness as a fundamental step in security.
The report says companies can help convey their security policies to employees when they:
Define security protocols for new employees during their onboarding process.
Customize security training by technical difficulty and departmental risk profiles.
Create contact points for mock drills for employees to perform during a cyberattack.
To implement successful culture hacks, CIOs need to find vulnerable parts in their company's culture and plug in small changes, said Kristin Moyer, distinguished VP analyst at Gartner, while speaking at the Gartner Symposium, last week in Orlando, Florida.
CIOs who invest in small culture hacks prove change requires "low effort but they are not low courage," she said. By 2021, CIOs will be as responsible for cultural changes as HR. This helps cultivate a sense of shared responsibility for security and eliminate a checkbox mindset, according to the report.
Line of business employees should be pulled into the conversation around cybersecurity. Cultivating an inclusive security culture that reaches beyond an organization's security team can bridge the gap between employee involvement and a desired cyber culture.