Building A Cyber-Resilient Culture

An organisation-wide journey to combat evolving cyber threats

As the cyber risk landscape evolves, executives are increasingly questioning the readiness of their organisation’s defensive capabilities, often asking “have we invested in the right systems? Do we have the correct risk-assessment frameworks? Are we able to anticipate new types of attacks in the market?” While correct, these questions do not address a fundamental pillar of security: cyber-resilient culture at the grassroots level. While implementing systems and security frameworks are important, they are ineffective without building a strong cyber culture. Most organisations believe that their systems are good enough to protect against insider threat or cyber attacks are always involve sophisticated and technical approaches resulting in de-prioritising culture for something more concrete. However, more than 50% of organisations had a breach due to actions by staff in the last 12 months, and a breach is more likely to result from an employee leaving a laptop on a train than from a malicious criminal hack. This is where system-led solutions reach their limit, and cyber resilient culture becomes important to help organisations defend against cyber breaches.

Building a cyber-resilient culture requires implementing a coordinated approach starting from identifying desired cyber behaviours, and then laying down adequate policies, frameworks, and processes to promote those behaviours. These policies must be supplemented with trainings, incentives, coaching and communications to drive change in those behaviours. And finally, a periodic measurement of progress should be done through metrics and organisation-wide culture pulse surveys. It is also important to note that this is not a one-time effort, but a journey, and it could take 12-18 months before any observable changes can be made to the organisation’s culture. Through this journey, the behaviours and the supporting “nudges” to drive those behavioural changes also need to adapt as the organisation matures.

Oliver Wyman’s paper, “Building A Cyber-Resilient Culture” illustrates the pitfalls of relying on systems and tools for cyber defence, and demonstrates the importance of building a cyber-resilient culture. The paper, through use of illustrative examples, explains how staff behaviours, driven by lack of cyber awareness, could lead to potential cyber breaches. Building a cyber-resilient culture requires a coordinated approach across desired behavioural changes, suitable frameworks including policies and processes and measures to drive behavioural changes such as incentives, trainings and communications. It is also important to measure progress over time to make sure sufficient progress is being made in the right direction, and the paper provides example metrics that can be used for measurement of progress across all these components. While cyber threats are always evolving, building a cyber-resilient culture is critical to truly defend the organisation. Any observable change in culture could take 12-18 months, so it is important for organisations to start right away to truly defend themselves from the ever-evolving cyber threats!

Building A Cyber-Resilient Culture