Building a cyber resilient culture — how to embed a culture of cyber resilience in your organization
The UK government considers cyber to be a tier-one national security priority alongside international terrorism. As the cyber risk profile continues to evolve, organizations must increasingly question how well prepared they are to counter this threat. Mature technical controls are, of course, critical to digital protection but this is just one piece of the cyber resilience puzzle.
Some reports indicate that in 2021 as many as 82% of data breaches involved a human element such as lost credentials, phishing, misuse, or error. As technology gets more sophisticated and businesses are better able to technically protect themselves, cyber criminals are increasingly likely to target the vulnerabilities of our people in order to gain access. Employees, mostly without malicious intent, are likely to expose the organization to threats at some point, whether by accidentally forgetting to do something or by intentionally ignoring policy and process.
It is, therefore, imperative that people understand the critical role their behaviours play in contributing to the security of their organization (and indeed their personal lives). To truly protect your organization from cyber-related risk, it is critical to build a culture of cyber resilience.
What is a cyber resilient culture and why is it important?
Cyber security and cyber resilience are not the same thing. They are interconnected of course, but where cyber security refers to an organization’s ability to protect itself and its information by getting the basics right today, cyber resilience takes a more future-focused outlook. Those organizations that focus on cyber resilience are proactively looking to anticipate where threats might come from, minimise the impact of attacks when they do come, and learn rapidly to adapt, therefore protecting themselves from future threats. But perhaps most importantly, they recognise the critical role of people and of building a cyber resilient mindset across the organization. This ensures resilience is integral not only to their business-critical systems, but also to leaders, teams, and daily operations. In essence they embed cyber resilience into the organizational culture.
The concept of a cyber resilient culture refers to a state of maturity in which colleagues at all levels understand the personal role they play in keeping the organization safe and make a conscious effort to proactively behave in ways which protect the organization from a cyber-attack. It is about the attitudes, knowledge, assumptions, norms, and values of the workforce of an organization with respect to cyber security, and these are influenced by a complex web of factors which combine to encourage the culture and behaviours you want to see.
The challenges we often see in supporting our clients to build cyber resilience into their culture include:
1. De-prioritising culture work for something more concrete: shifting culture is difficult and it can be messy and time consuming. It can therefore be very tempting for leaders to de-prioritise this work for something that will be seen to deliver much quicker wins. This usually equates to technical solutions or process improvements but, even then, if you don’t consider the human beings on the receiving end, these ‘improvements’ are unlikely to land and fully embed.
2. A perception that external attacks are the biggest threats: insider threat doesn’t just have to refer to the malicious employee out to get revenge. Research on serious data breaches in 2021 found that even though human error was the main cause at 84%, when questioned, IT leaders reported their biggest concern to be intentionally malicious behaviours.
3. Taking the assumption that successful cyber-attacks leverage sophisticated technical approaches: as already indicated, many research papers and reports indicate that in fact human error or oversight is the highest contributing factor in enabling successful attacks and data breaches. It’s not all just genuine innocence and mistakes either – according to a 2020 report, 58% of organizations surveyed reported that employees actively ignore cyber security guidelines.
How to bake cyber resilience into your organizational culture
A strong cyber culture is one in which both the functional determinants, such as policy, governance, leadership, and incentives, and the emotional determinants, such as trust, fairness, ease, and social norms align, manifesting in positive cyber conscious behaviours.
Cyber resilience culture goals must be strategic, organizationally aligned and risk aligned. PA Consulting’s Approach to Culture Shaping (pictured) demonstrates that it is essential when beginning a culture shaping journey to ‘look under the surface’ and explore the reality and the experience in which your people are operating. Understanding the lived culture, purpose, and values will help you identify how people engage with cyber risk currently as well as existing cultural strengths that you should leverage and build on as you seek to enhance the importance of cyber resilience within the culture. The degree to which the importance of cyber resilience is likely to be adopted will be influenced by broader attitudes your organization has towards rules more generally.
Other key aspects to this work includes the engagement of leadership in role modelling and reinforcing key cyber behaviours, as well as gathering continuous feedback to ‘listen and adjust’ as you start to make change.
It's also important to know the reality of where you’re starting from by understanding mindsets and behaviour, this helps you determine where the significant gaps are and develop a roadmap for change.
When adopting a people-centred approach to reducing cyber risk and embedding a culture of resilience, we recommend focusing on three key areas which you can see above at the centre of our model:
1. Design the system within which your people operate to promote security
Do your policies, organizational structures, and governance clearly promote cyber security requirements? Are your processes easy to follow, or do they prevent colleagues from being effective in their primary role? Systems, processes, and structures are some of the most fundamental drivers of behaviours across an organization. Ensuring you purposefully design these to provide a consistent message will reinforce that cyber resilience is something you care about getting right and help drive the desired behaviours.
To promote positive cyber behaviours, look at your teams as individual people – carefully identify what skills and tools they need to operate effectively, and understand why and how they might make mistakes. Review your policies and processes, and re-visit your operating model to ensure roles and responsibilities are clear. Set out expected behaviours for each role and make it as easy as possible for teams to meet their security obligations.
2. Engage with hearts and minds by making cyber something people care about at an individual level
Do you talk about cyber resilience as a core component of managing business risk and building broader organizational resilience? Is a positive cyber resilient mindset adopted and championed at board level? Do leaders and managers role-model the right attitudes and behaviours when it comes to positive cyber practices?
Cyber-attacks are a reality, not a threat, and those organizations with strong cyber resilience accept this. It is therefore critical that people understand and feel comfortable talking about cyber security and how it relates to them, both inside and outside of work. Helping colleagues to realise that good cyber security knowledge and skills will keep themselves and their families safe at home as well as protecting the organization can be very powerful. Make it clear why digital security is a concern for your organization and explain the potential impact of cyber-attacks by using real examples or near misses your organization has experienced.
Leaders must be prepared to be humble when it comes to cyber security. Don’t be afraid to admit that you yourself might have fallen foul of a scam or phishing email or that you don’t always have the right answers. Ensure that best practice at all levels is recognised and celebrated to promote the behaviours you want to see.
3. Nudge the right habits by making cyber practices easy for people to follow
Does following your cyber security processes impede people from doing their jobs effectively? Do people in your organization feel they are able to be both productive and secure whilst at work? Is it easy for them to conduct the behaviours you are trying to promote, and do they get prompts and reminders at timely intervals to encourage these behaviours?
We all know that we should exercise regularly and eat our daily fruit and vegetables, but does that mean that we all do it? No, of course we don’t, because having knowledge is not the sole driver of human behaviour.
Nudges are interventions in a given context that are designed to steer people towards a desired behaviour. In essence, it supports people who already have positive intent to be compliant to actually ‘do the right thing’ and make positive choices for themselves and the organization. Nudging compliments more traditional routes to achieving compliance, such as training, policy, or legislation, by providing the choice architecture that supports people to utilise their training and comply with policies.
Introducing ‘cyber nudges’ can help employees overcome the bad habits they have picked up by trying to deliver quickly in fast-paced work environments.
Making mistakes is human nature but, by building a culture of cyber resilience, organizations can take a more robust approach to managing cyber risks. Investing in people as well as business operations and technology, improves an organization’s ability to anticipate, withstand, recover, and adapt in the face of inevitable cyber-attacks. In sum, it will build organizational cyber resilience.
 Verizon 2022 Data Breach Investigations Report
 Egress’ Insider Data Breach Survey 2021
 Netwrix 2020 Cyber Threats Report
About the author
Global Business Continuity Lead