Setting the Security Tone from the Top

chess pieces (pawns, king and queen) illustrating senior leadership and tone from the top

Whatever the size of your organisation, your culture and the way that people behave, is probably set by the people at the top. This is as true for the organisation’s attitude to cyber security as it is for its ethics.

There is a tendency to assume that security is about technology, but it is important to include people and the way that people tend to behave, in your security programme.  Indeed, policies, processes, people and technology all play an important part in the programme. By creating a culture in which everyone feels responsible for the security of the organisation, and therefore acts to support security, the organisation will be more secure.

If the senior leadership team (whether that’s the solo founder of a new start-up, or the Board of a listed company) cut corners, fail to follow their own security policies, or insist on special treatment, then why should anyone else in the organisation take compliance and cyber security seriously? And if it’s not taken seriously, then the overall security of the organisation declines, adding to the risks the business faces.

Tone is set at the top

Company culture and tone from the top

As this diagram shows, there are many factors that impact an organisation’s culture. It’s a complex network:

  • External factors, such as; legal or regulatory requirements, or societal and market expectations, have an effect on leadership decisions, and on how they set the strategy, structure and policy of the organisation. These external factors, of course, also have an effect on the individual employee, their values, expectations and attitudes.
  • The leadership team structures and directs the organisation, and has an impact on each individual as well as on the organisational culture—whether they act intentionally in this regard or not.
  • Every individual has an effect on the organisation’s culture, in the way that they act while at work, and how they communicate with others. Every action builds the culture, whether that’s in the desired direction or not.
  • The organisation’s culture, as it develops and changes over time, then affects the actions and attitudes of the individuals within the organisation, and on the way that the organisation operates as a whole.

Given the complexity of the interactions, an organisation’s culture has significant momentum… it can be difficult to redirect it, but it can be done.

Building a security culture

Just as in setting the tone for ethical behaviour, there are several facets of setting a strong cyber security culture:

  • Lead by example. If the company policy is, for example, that all staff should complete regular cyber security training, then everyone in the organisation should do it. And in this example, leaders should make it clear that they are doing the training—there should be no exceptions.
  • Champion cyber security in the organisation. Explain why it matters, in a way that everyone in the organisation can understand. But just talking about it isn’t enough—business leaders should make sure that security is considered across the business, and is taken into account in business decisions at every level.
  • Align policies and objectives. Ensure that policies are aligned with your security objectives as well as with each other and with your business objectives. Ensure they don’t conflict with other expectations. If staff are focused on scoring well against a particular performance measure, and that means that they must work around the security policies to be successful (by that measure), then there is conflict that should be investigated. Even as a member of the senior leadership team, if a policy doesn’t work for you and for the business, don’t work around it: review the policy.
  • Facilitate open and transparent communication. Enable reporting of issues such as the potential conflict mentioned above. Make sure that staff know how to report any concerns that they have and, importantly, that their concerns are reviewed promptly, and acted on when necessary. Staff should not be blamed for alerting management to a security problem, and nor should any such problems be ignored. If there is a problem, it should be dealt with, and a quick response sends out the message that these reports are valued.
  • Provide (and attend) training and awareness sessions, so that staff understand the importance of cyber security in your organisation, and what security risks to be aware of in their particular roles. As a senior leader, you are a target for a particular type of attack; your receptionist for another; finance for a third… and so on.
  • Reward the right behaviour; set up the right performance measures. People work to the metrics they are judged by; performance measures should be aligned with your objectives.
  • Celebrate successes. If there’s been a mistake or a problem, acknowledge it, investigate the cause and then fix it wherever possible. And if there have been successes, celebrate them.

Re-aligning your company’s culture may take time, but success is more likely if you take that time and make small, incremental changes—it’s easier than trying to change everything at once. Contact our friendly Click and Protect team on 0113 733 6230 for more advice.