Industry Insights with Dr. Siva Sivasubramanian


Cyber Capability Uplift - Culture Is Key

Former CISO Dr. Siva Sivasubramanian on Building a Cybersecurity Culture
Cyber Capability Uplift - Culture Is Key
Image: Shutterstock

Improving cyber capabilities and posture is a top priority for many corporations today. They deploy new tools, technologies and architecture in the hope of enhancing their cyber capabilities, often yielding questionable results.

See Also: The Need for a New Integrated GRC Architecture

The success of any cybersecurity uplift program, however, hinges on the wider staff’s recognition of the value of cyber protection initiatives and their active adoption and advocacy. While training is a necessary component of this, it alone is not sufficient. Success requires a holistic approach beyond training, encompassing a comprehensive understanding of security issues and the actions needed from each individual.

Step 1: Getting the Entire Organization to Care

Cybersecurity involves people, processes and technology. The key to building a strong cybersecurity culture lies in the willingness of people to embrace security policies and the organization's support in helping them do so.

Employees should understand the importance of cyber controls and willingly adopt them. Organizations, on the other hand, should implement pragmatic processes to support employees in adopting security policies. Technologies should be deployed to enhance and amplify security capabilities.

Step 2: Training, But Better

Even with improved training delivery, employees often relegate it to a mechanical activity to get the obligatory compliance ticks. Too many mandatory training requirements induce training fatigue. The goal is not to discount training but to enhance it.

Organizations should own up to the responsibility of transforming training into an exercise of promoting cognition, where the staff understands the broader security issues and actions needed from them and gain knowledge and awareness on how they can contribute to the betterment of cybersecurity. Large-scale participatory programs are key.

Step 3: Employees and Leadership: Partners in Crime

Organizations can foster a culture of cybersecurity by initiating simple yet impactful programs such as secure development, secure software procurement and secure operations. These programs, designed to be participatory and dialogue-enhancing, encourage staff to understand and appreciate cyber issues and their role in improving cybersecurity. This not only uplifts employee cognition but also enlists their support as partners in implementing cyber controls.

To complement grassroots-level cybersecurity initiatives, organizations must also involve top-level leadership. An ideal program for this purpose would be ‘security exception management,’ where any security exceptions (non-compliance) happening across the organization are documented, risk assessed, and submitted for executive endorsement for exemption. This program brings about an executive focus on structural and organizational issues that necessitate exceptions and ignites executive focus on resolving them.

Step 4: Simplicity Is Key

Simple yet significant programs help ensure that every segment of the organization understands its cyber responsibilities and has channels for cyber-related dialogues. The executives would have a firsthand understanding of what works and what does not in the cyber domain to effect meaningful course correction.

This is the genesis of an organization's cyber culture. Once it is truly and meaningfully established, an organization is ready to benefit from a cyber uplift program.

About the Author

Dr. Siva Sivasubramanian

Dr. Sivasubamanian is a seasoned cyber strategist and a transformational leader. He served as CISO for Singtel Optus in Australia and global CSO for Bharti Airtel. He helps disseminate knowledge to the broader community through talks, writing and mentoring.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.