Creating a Culture of Cybersecurity: An Interview with CulturSys’ John Childress

Creating a Culture of Cybersecurity: An Interview with CulturSys’ John Childress 864 486 N2K

Corporate culture — so hot right now. This topic seems to be on the tip of seemingly every senior executive’s tongue. And for good reason: With the U.S. unemployment rate hitting record lows, companies are competing furiously to hire and retain talent by creating enjoyable work environments for employees. At the same time, the #MeToo movement has raised awareness of how toxic workplaces can do enormous damage to an organization’s success.

Entire forests worth of trees has been used to create books about company culture. Far fewer words, however, have been written about cybersecurity culture — the shared beliefs and behaviors within a business that influence how workers handle cybersecurity. That’s why we recently sat down with one of the leading experts on this subject: John Childress, Chairman of CulturSys, Inc., a culture management consulting company. Childress discussed why culture is critical for organizational cyber resilience, and the steps businesses can take to build a robust company-wide secure digital culture.

Here are a few of the top takeaways from our interview:

Enterprise cybersecurity is everyone’s responsibility

Cybersecurity is a team sport. Everyone in an enterprise — from executives in the boardroom to janitors in the bathroom — has a role to play in creating a cyber-resilient culture.

Cybersecurity can no longer be solely the responsibility of the IT department. All employees must be invested in organizational cyber success.

“[Employees] are the human firewall,” Childress said. “They are the first line of defense. We need to prepare them, educate them, recognize them, reward them, and give them the kind of cultural environment so they can feel good about protecting an organization.”

Cybersecurity starts at home

There’s an old business adage: “Leave your problems at work at work and your problems at home at home.” But when it comes to cybersecurity, this is bad advice. Digital behavior bridges all areas of your life. Developing good cyber habits takes practice, both inside and outside of the office.  

“If we can get employees to feel that they’ve learned enough on the job to protect their family’s cybersecurity, then they’re going to bring those best practices to work with them,” Childress said.   

Corporate culture and cybersecurity culture are linked

Cybersecurity culture is a subcomponent of an organization’s overall culture. Companies that have a corrosive corporate culture are also likely to have a problematic digital culture.

“I don’t believe that you can have a strong cybersecurity culture unless you start improving your overall corporate culture,” Childress said.

Corporate culture and cybersecurity culture share the same drivers (e.g. leadership, onboarding, organizational structure, etc.). When you tinker with any of these common factors, you’re likely to see progress in all aspects of your company’s culture.

Cybersecurity training should be both intellectually and emotionally stimulating

Shifting cybersecurity culture is not a simple process. It needs to be done methodically. Some business leaders mistakenly believe that monetary rewards are the key to driving good digital behavior. But, studies have shown that financial incentives are not particularly effective for this type of endeavor. Rather, cybersecurity training should be experiential for employees. The most powerful training programs are both intellectually and emotionally stimulating — targeting employees’ heads and their hearts.

Watch Childress explain more below:


Want to improve your organization’s cybersecurity culture?

To see our full interview with John Childress, as well as interviews with other leading cyber subject matter experts, check out our Cyber Risk Seminars. Our executive-tailored training programs offer both on-site and on-demand that can help improve your company’s cyber culture — putting your organization in the strongest position to protect itself from complex digital threats.