When organizations and information security teams think of cyberawareness training, they often think of scams, phishing, malware, and sophisticated social engineering tactics. Rarely do they think of awareness training as an opportunity to change the prevalent culture in an organization. Despite investing in technology, personnel, and technical know-how, and expanding budgets to support ever-increasing information security operational costs, organizations are still falling victim to everyday cyberattacks.
Is there an aspect of the cybersecurity landscape within an organization that is being overlooked? Could dysfunctional organizational culture, lurking behind sophisticated technology and comprehensive security controls, sabotage well-intentioned cybersecurity programs within organizations? Consider some example scenarios to find out:
Power Distance
An organization’s system stops working in the middle of its busiest day, and backup systems fail to kick in. The annual disaster recovery exercise reveals that, under pressure from superiors, the team had fallen into the practice of falsifying results. The organization clearly had a low power distance index.
A power distance index can be used to measure the level of deference lower-level employees show to their superiors. Cultures, whether organizations or nationalities, with lower power distances exhibit higher levels of individuality where people are more likely to question their superiors and point out their mistakes.
Buy-In
An organization suffers a data breach after just one employee is phished. Multifactor authentication (MFA), which would likely have prevented the incident, had been delayed for more than two years because the operations director felt that rolling out MFA to the organization would mean more support tickets for their short-handed help desk. An objective review would have confirmed the concern was legitimate. Understanding the possible downstream effects of initiatives and addressing them at the start can prevent situations where projects drag on for a long time due to lack of buy-in.
Risk-Averse Culture
An organization finds itself in the middle of a massive data breach because a risk-averse manager had, for years, refused to upgrade a reporting server that was installed on an ancient system for fear of changing the status quo. Senior IT managers should have the soft skills to sell the need for the upgrade and prepare the business for a possible, temporary disruption. IT managers should be evaluated on their ability to take calculated risk to achieve something of higher importance for the organization.
Punishing Mistakes
An organization experiences a ransomware event after making the cardinal mistake of not patching third-party software, even though the software vendor had issued an important security patch. Why the reluctance? The cybersecurity manager, who had won the support of senior management and done substantial testing on a previous vendor patch, publicly lost that support when the patch caused minor downtime. Ultimately, the organization paid the price for the shortsightedness of a couple of executives.
Not My Job
Everyone wears multiple hats in small organizations. Problems arise when specific job duties are not written into job descriptions.
An email account of a hospitalized employee has been compromised. Who then, since multiple people have assumed the role of email administrator in the past, is responsible for the fact that the employee in question had not been enabled for MFA, as organizational policy dictated? The lines of responsibility within a team wearing multiple hats should leave no doubt as to who is responsible for enforcing organizational policies and controls.
Obsolete Auditing Practices
Traditional, internal and external IT security audits often fail organizations because they tend to focus on processes, technology and controls and not enough on people and organizational culture. Auditors should develop qualitative and quantitative culture assessment techniques to offer to organizations in addition to traditional audits. Small- to medium-sized organizations typically do not have the resources to invest in the techniques required for a cultural assessment. A universal culture score derived and offered by auditing services, especially scores that can be compared with those of similar organizations with similar sizes in similar industries, could provide one more weapon to beleaguered information security officers everywhere.
Staying One Step Ahead
How many people have seen these destructive cultural aspects in their own organizations? Organizational leaders can stay one step ahead of damaging cybersecurity culture by being cognizant of deadly organizational cybersecurity sins and using effective awareness programs to blunt the damaging aspects of prevailing culture. Technology is increasingly playing a role in securing organizations, but even more important than technology is the prevailing culture within the various groups that make up an organization. Evaluating management and leadership on organizational culture based on qualitative or quantitative techniques, either using universal attributes of culture or developing custom assessments specific to the organization and using targeted awareness programs, should be the next logical step in securing systems and data.
Editor’s note: For further insights on this topic, read Ranjit Bhaskar’s recent Journal article, “Better Cybersecurity Awareness Through Research,” ISACA Journal, volume 3, 2022.
ISACA Journal turns 50 this year! Celebrate with us—and do not forget you can still receive the print copy by visiting your preference center and opting in!