How to Build a Cybersecurity Culture in your Company

Steve Manjaly July 15, 2024
- 16 min read


It's been a crazy couple of years, and things are still changing rapidly all around us. But you don't need me to tell you that; you're probably living it in your organization already.

In the IT sector, we've gone through a global chip shortage, the postponement of major tech events, the delay of product launches, and perhaps most importantly, almost all companies shifted almost completely to remote work. This sudden shift to remote work caused a chain reaction of events among which was a sudden and huge uptick in cyber attacks. The FBI has reported a 300% increase in cybercrimes in the US since the start of the pandemic

Even the post pandemic, most companies are opting for at least a hybrid model of work, and this is driving changes in their approach to cybersecurity. And organizations and cybersecurity teams are coming with new strategies to cope up with this new environment. 

Cybersecurity professionals have started emphasizing the role of the organizational culture. More than anti-virus software and firewalls, the employee perception of threats and the individual notions of cybersecurity are playing an increasing role in keeping an organization and its digital and IT assets secure. 

And in tune with this, there's been a focus shift to building a strong cybersecurity culture within organizations. 



What do we mean by cybersecurity culture?

Cybersecurity policies of most organizations revolve around the cybersecurity team or department. The team, along with the CISO (Chief Information Security Officer), prepares the security policy for the organization and prepares strategies based on the available resources, the cyber risks involved, and other factors.

Cybersecurity culture involves decentralizing cybersecurity responsibilities to everyone in the organization.

In this sense, cybersecurity awareness is crucial for promoting a culture that is about leadership commitment, employee awareness, responsibility, incident response planning, clear security policies, and continuous improvement.

Let’s take a look at "organizational culture". 

An organization’s culture defines how employees conduct themselves in their work environment, whether in an office or work-from-home situation. It dictates how employees communicate, the boundaries, the way they dress or present themselves, and what’s expected of every employee.

A cybersecurity culture attempts to reduce the overall cybersecurity risk by strengthening an organization’s weakest link and its most valuable resource: its people.

Cybersecurity culture leverages the organizational culture to reduce the security risk 

Instead of defining protocols for every situation or sending out monthly emails reminding employees to change their passwords, a cybersecurity culture ingrains best security practices within the workforce.

Rather than telling the employees what to do, the focus is on making the employees aware of the risks involved and the best practices. The approach empowers employees to make decisions in their activities taking cybersecurity into account.

For example, often in organizations, the cybersecurity teams may implement two-factor authentication for all devices or accounts the employees are using. But if a team is developing a product for internal use, security often becomes an afterthought. With a good security culture, the same team will be motivated to proactively bake in security features to the product from scratch.

Effective cybersecurity culture is making security second nature among the employees, just as digital collaboration, or clocking in and clocking out every day.

How do you build a cybersecurity culture? 

The sudden rise of the need for a cybersecurity culture was driven first by the pandemic and remote work. Ransomware attacks and phishing emails became much more common. Employees and their devices were more prone to attacks, and the IT team or the cybersecurity team alone couldn’t handle the threats.

While ITAM tools and AI threat detection have been proven to be fundamental, all employees have to play a more active role to ensure the digital security of an organization.

Besides phishing, a remote and distributed workforce creates other cybersecurity issues as well. Unlike an in-office situation, the employee devices are not physically secure while working remotely, impacting cybersecurity readiness. One of your team members may leave their laptop unattended at a cafe or there may be a burglary at their house.


Risks from Shadow IT - How do you build a cyber security culture?

Leadership-level engagement is crucial in developing and reinforcing effective cybersecurity strategies.

The risks of shadow IT are also higher during remote work. Employees are more likely to use tools or software that they feel are best suited for their work without the knowledge of the IT department. This can create unknown risks for the organization.

A team that is aware of cybersecurity risks, that proactively takes security-oriented decisions, that cares about cybersecurity even when no one is looking, can significantly mitigate the cybersecurity risks and create a cyber-resilient organization.

Encouraging employees to report potential security incidents and having a well-documented incident response plan are essential steps in this process. 

Strategies to build a culture of cybersecurity

Strategies to build a culture of cyber security.Here are a few strategies that experts recommend to build a robust cybersecurity culture and a comprehensive cybersecurity strategy.

Creating a cybersecurity culture within the organization is crucial to reduce security breaches. One of the most effective ways to build a cybersecurity culture is through continuous security training.

Build support from the chief information security officer

This is one of the first and most important steps to build a security culture. The organization will have to allocate resources for this initiative and support from the top management can streamline the implementation. It's important that the management understands the need for a cybersecurity culture, its benefits, and how it can save expenses and reputation in the long run. 

Executive participation will also help other employees understand its importance and drive them to join the initiative. A cybersecurity champion among the executives can motivate the organization as a whole to sharpen its cybersecurity skills.

Raise cybersecurity awareness within the organization

Employees who are aware of the impact of a cybersecurity incident and how simple measures can avoid it are more likely to work with your initiatives.

Dr. Dawud Gordon, CEO of TWOSENSE.AI, is working with the US Department of Defense to develop defense-grade cybersecurity.  We spoke to him about how to build a culture of cybersecurity in an organization. He says: "If employees are educated about the impact of a potential breach, they're much more willing to change their behavior to prevent that worst-case scenario.”




"Knowing that the phones will be ringing constantly as worried customers call every line they can reach, that random employees will be asked for quotes by the press, and that lawsuits could require a painstaking discovery process can change how people perceive security inconveniences.

Dr. Dawud Gordon

Carrots, not sticks

Example of how gamification works on InvGate Service Desk.

Most cybersecurity experts agree that punishments or a culture of shame is not the way to go. You may notice that some members of your organization may be alarmingly lax about their cybersecurity practices. Understand that the whole point of building a cybersecurity culture is to understand and correct them. 

While punitive action may give you short term results, the team won't understand or appreciate your goals this way, and the results may die out in the long run. 

Rewarding good behavior is likely to encourage participation and your team will have a positive attitude towards the program. Applying gamification and making it fun within the company culture, getting your employees to talk about it. Brand your cybersecurity culture, and launch swag like laptop bags or hoodies with the branding, and award them to top performers.  

Don't just "set it and forget it"

Cybersecurity culture is not something you can implement with just one or two seminars or office memos. It's a continuous process, it's a cycle of implementing, measuring, analyzing, and revising the strategies. 

Threats are constantly evolving and you have to keep iterating your strategies to keep your employees prepared.

Roll out your initiatives gradually

Don't try to implement every cybersecurity policy in one go. Start small and build upon it. The most common mistake is "trying to boil the ocean,” according to Dr. Gordon. “Many security teams try to implement every cybersecurity best practice at once across an entire organization.  That's a recipe for disaster - users are shocked by the new inconveniences, and security teams are overwhelmed trying to fine-tune the new policies.“

Don't stress out your organizations, and make sure they don't feel like it's something they have to do. To build a culture, your team must want to do it; they should understand the importance, and they should be on your side. 

Arm your team with the right tools

This one might seem like a no-brainer, but it's an essential part of fostering a culture of cybersecurity. Help your teams to internalize these concepts by providing them a robust tool that helps keep these issues at the forefront.

Invgate Insight's IT security and cybersecurity compliance capabilities allows you to detect whether assets meet your organization's security standards, as well as other external compliance needs. It flags those assets that require special attention, as well as detect assets running unauthorized software, and check assets with upcoming warranty expirations.

How Yahoo created a culture of cybersecurity

The cyber security culture built by Yahoo’s cybersecurity organization (nicknamed “the Paranoids”) is a fantastic example, and it was documented in this case study by Harvard Business Review.

The organization brought together the red team, the security awareness team, and the behavioral engineering team, which were all operating separately within the company.

The first step they took was to clearly distinguish between actions, habits, and behaviors. Habits were a shortcut for repeated actions, and behaviors were defined as a combination of habits and actions within a context. For example, using a VPN was considered an action, and training employees to instinctively toggle a button to connect to a VPN forms a habit. Behavior would be the employees using a VPN every time they had to connect to the company servers.

Once they defined these, they were able to define behavioral goals. The goal wasn’t an action or a habit, but something the team wanted the employees to do in a specific situation. Once they set up the goals, the next step was to understand the baseline, and start implementing measures to change them. An important aspect of setting the goals was to ensure no one had to measure them qualitatively.

For example, the team recognized that the employees were vulnerable to phishing attacks through fake login pages. Paranoids identified three metrics.

  • Susceptibility rate: number of employees who entered credentials, and didn’t report the emails divided by the total number of emails sent.
  • Credential capture rate: number of employees who shared/entered their credentials with the fake page and didn’t report the link/ divided by the number of people who landed on the phishing page.
  • Reporting rate: the number of people who reported the emails divided by the total number of emails sent.

As you can see, the metrics are objective and easily measurable. The team brought about significant change to these metrics through careful nudges. The team installed password managers which ensured the employees entered their passwords only in the actual domain, and not in fake phishing sites. They offered company swag like t-shirts and hats to employees who were using the password manager. Paranoids also created dashboards for managers which showed the performance of their team and compared them against other teams.

Through competition, rewards, and recognition, the team created changes across the organization and modified the behavior of their employees, building a robust cyber security culture.

The bottom line

The rapid changes in the global landscape have underscored the importance of robust cybersecurity measures. The significant shift to remote and hybrid work models has exposed vulnerabilities and driven a surge in cyberattacks. As a result, cybersecurity professionals are recognizing that technology alone is not enough to safeguard an organization.

Building a culture of cybersecurity, where every employee understands the importance of protecting digital assets and actively participates in maintaining security, is crucial. By fostering this culture, organizations can better adapt to the evolving cyber threat landscape and ensure their long-term resilience and safety.

Remember, cybersecurity is not just an IT issue; it's a collective responsibility that begins with cultivating the right mindset across all levels of the organization.

All of this, of course, has to be accompanied by a robust ITAM tool to streamline your cybersecurity measures and your organization's company. Ask for InvGate Insight's 30 day free trial to check out what this solution can do for your Security Management.

Frequently Asked Questions 

What are the key strategies for building a cybersecurity culture?

Some key strategies include:

  • Gaining support from the CISO and executive leadership.
  • Raising cybersecurity awareness through continuous training.
  • Rewarding good behavior and applying gamification rather than using punishments.
  • Rolling out initiatives gradually and not trying to implement everything at once.
  • Providing cybersecurity teams with the right tools and resources.

How can leadership engagement help build a cybersecurity culture?

Leadership-level engagement is crucial for developing and reinforcing effective cybersecurity strategies. Executive participation helps employees understand the importance of cybersecurity culture and drives them to participate. A cybersecurity champion among executives can motivate the entire organization to improve their cybersecurity practices.

Why is it important to raise cybersecurity awareness among employees?

Employees who are aware of the impact of a cybersecurity incident and how simple measures can prevent it are more likely to actively participate in cybersecurity initiatives. Educating employees about the consequences of a potential breach can change their behavior and make them more willing to adopt security best practices.

How can gamification and rewards help build a cybersecurity culture?

Applying gamification and making cybersecurity initiatives fun within the company culture can encourage participation. Branding the cybersecurity culture and launching swag like laptop bags or hoodies with the branding, and awarding them to top performers can positively reinforce good behavior.

Why is it important to continuously iterate and improve the cybersecurity culture?

Cybersecurity threats are constantly evolving, so organizations must keep iterating their strategies to keep employees prepared. Cybersecurity culture is not something that can be implemented with just one or two seminars or office memos. It requires a continuous process of implementing, measuring, analyzing, and revising the strategies over time.


Read other articles like this : Workplace

Evaluate InvGate as Your ITSM Solution

30-day free trial - No credit card needed