It Starts at the Top – Your Board’s Impact on Security Culture

Who “owns” your company’s security culture? Your first thought might be the IT department. But that’s a focus that’s too narrow and too specialized to truly own the culture. Your second thought might be your senior leadership team, and that’s getting warmer. But ultimately, security culture is a board-level imperative.

Employees obviously play a large role in ensuring a strong security culture and protecting company, employee, and customer data. But security culture isn’t built from the ground up—it’s built from the top down. And that starts with your board of directors. If they’re not on board, your attempts to create a strong security culture are likely to fail.

Many companies, though, fail to bring these critical stakeholders—and allies—into the fold when it comes to security, but there are steps you can take to bolster their role and positively impact your company’s security culture.

Starting Conversations—Within the Executive Team and Board

How engaged is your board and your leadership team with your organization’s cybersecurity efforts? If you’re like many organizations, the answer sadly may be “not very engaged.”

Getting them engaged requires starting conversations around security. But not just any type of conversation. Conversations with a purpose—and a plan.

We recommend using a simple filter or formula to help improve your executive communication around security (and frankly, about any critical company issue):

information → story / narrative → transparency and metrics → insight and direction

Information informs your narrative or story. But effective communication isn’t simply about sharing information. It’s about sharing information with a purpose through stories—or examples. Data and details matter, but they don’t have as much impact unless they’re woven into a story.

Organizations must also be transparent and accurate with the information they share. Don’t hold anything back. Don’t attempt to whitewash the information. Tell it like it is. And tell them what it means.

Once you’ve woven your story and supported the story with meaningful metrics, the final step is to offer insight and direction. You’ll be answering questions like, “What does this all mean?,” “How does our organization compare to other similar organizations?,” and “Where do we go from here?” Don’t assume that your senior leaders or board members know. Have conversations that bring out these key insights and lead to actions that can strengthen security.

Bring Them Into the Loop—the Importance of Training and Ongoing Updates

Helping the board understand your security culture and implications related to cybersecurity and risks isn’t a one-time, or once-a-year, event. It’s an ongoing process. That means ensuring that communication is ongoing—potentially even a standing item on each board agenda. It also means that board members may need to participate in training to help them thoroughly understand the security implications of their actions, or inaction.

Board members are part of your human-layer defense. Unfortunately, while 85percent of security breaches are attributed to human error, very little security spending is focused on the human layer—and an even smaller percentage is focused on board members who are, of course, part of that human layer.

Help Them Play an Important Role as Powerful Role Models 

Your board members serve at the highest level of leadership within your organization. While employees may not see them every day (or even know who they are), their actions do have an impact.

Security and, particularly, human-layer defenses and your organization’s security culture should be key conversation topics within the executive team and board. When board members interact with leadership and staff during meetings or other types of interactions, they have the opportunity to support the company’s efforts related to security through their own words, deeds—and interest. Make sure board members are up-to-date and engaged in your company’s efforts to build and maintain a strong security culture.

Building a security culture and bolstering your human-layer defenses deserve attention at the highest levels of your organization—if your company has a board, that means them. What are you doing to ensure your board members are prepared to model behaviors that support a security culture?

Cybercriminals are doubling down on their attempts to attack your systems and your data. You need to fight back. Board members can be important allies here—if they’re involved, engaged, and armed with the information they need to support security efforts.

About the Author

Perry Carpenter is the author of “Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors” and the host of the 8th Layer Insights podcast on The CyberWire network. He is chief evangelist and security officer for KnowBe4[NASDAQ: KNBE], the world’s largest security awareness training and simulated phishing platform.