Why fostering a culture of cybersecurity should be your company’s goal this year

Article | October 2020

The cyber-threat landscape is evolving. While technological developments and the rise of the Internet of Things have opened up new opportunities for businesses, they have also revealed a multiple of vulnerabilities ripe for exploitation. The coronavirus pandemic has further exacerbated the situation, in part due to the intrinsic security weaknesses associated with remote working. According to VMware Carbon Black’s latest Global Threat Report, 91% of executives have seen a rise in attacks due to the shift to WFH. Not only has current legislation failed to keep pace with the scope and complexity of cyberattacks, the fact remains that it is incredibly difficult to identify the perpetrators and bring them to justice. In the current cyber climate, information security professionals play a key role in keeping organizations safe. But they are not the only defense against breaches.

What is a culture of cybersecurity?

Despite their many vulnerabilities, computers do not make mistakes. It is humans’ capacity for error that makes cyberattacks so treacherous. CISOs and their teams can build impenetrable cyber fortresses but sometimes all it takes is one click on a malicious link for the whole operation to come crashing down.

Because of this, fostering a culture of cybersecurity constitutes one of the most important defense mechanisms for any organization. This doesn’t just mean implementing security protocols and briefing employees on common threats; it means providing comprehensive training on how to identify, prevent and mitigate potential cyberattacks. According to the 2018 Cybersecurity Report from ISACA and the CMMI Institute, “95% of global survey respondents identify a gap between their current and desired organizational culture of cybersecurity.” Sobering figures indeed. 

The problem is sending out a half-hearted PowerPoint on the dangers of hackers every six months is unlikely to prevent a large-scale data breach. To decrease the risk of successful cyberattacks, security must become second nature to employees and executives alike. Your average member of staff may be able to give a broad definition of what phishing is but could they identify a sophisticated spear-phishing email sent from a spoofed email address? Do they know how to enable spam filters? Only once employees can recognize the risks themselves and take the appropriate steps to avoid them can an organization be said to be truly “cyber aware.”

Creating a cybersecurity roadmap

A holistic approach to cybersecurity training is vital when it comes to defending your business against attacks. While information security departments naturally bear the brunt of the responsibility for securing computer systems and networks, employees need to understand the key role they play in protecting valuable company assets. It is important to stress how their actions can positively or negatively affect the organization. Cybersecurity training should thus be tailored to each individual department so that the information provided is pertinent and thorough.

When trying to build a culture of cybersecurity — start small. Ensure training sessions are brief and regular rather than trying to cover every topic in one day. Opt for a microlearning approach: Divide subject matter into easily digestible chunks so that employees don’t get confused, bored or despondent. It is also essential to determine each member of staff’s level of understanding before you embark on an extensive training program. Someone working in IT is likely to be much more familiar with cyberthreats than someone working in marketing (although this is of course a generalization). If an employee is struggling to enable software updates, it is probably not the time to start talking about zero-day vulnerabilities. 

Metrics are also an important factor to consider. If you can’t assess how much employees have learned and absorbed, it will be very difficult to establish the ground left to cover. Assessment doesn’t necessarily need to take the form of formal tests or quizzes; team competitions or simulated attacks can also be valuable ways to evaluate progress. People also respond much more positively to training that is engaging and interactive. If you can make cybersecurity fun, you’re on to a winner.


A successful cyberattack can damage an organization’s finances and reputation and have far-reaching consequences in terms of future success. With hackers becoming ever-more sophisticated and prolific, organizations’ security relies on a solid culture of cybersecurity. The 2020 ESG report on technology spending intentions offered some hope for the future with 62% of survey respondents planning to increase cybersecurity spending in the coming year. However, unless this investment is accompanied by a commitment to fostering an internal culture of cybersecurity, the number of successful breaches will likely continue to rise.