Cyber culture starts with the CISO. Here’s how to lead the way.

Aarthi Natarajan

You’ve shaped your organization’s cyber strategy. You’re regularly communicating cyber issues and opportunities to your board and executive leadership. What’s more, they’re listening to what you have to say and trust your opinion. You’re now in an ideal position to shape a cyber-friendly culture throughout your organization.

Yes, your plate may already be filling up. But it’s time and effort well spent - trust us. Activities that strengthen cyber culture are force multipliers for proactive protection and prevention. For example, employees will enthusiastically update their passwords on a regular basis — and it’s not just changing “password” to “1234.” They’ll value — and actually take — the self-led online cyber training courses you send them. And they’ll know not to click on that phishing email that could bring your company down.

Moreover, building a strong cyber culture is your job as a CISO. You’ve long realized that your role is no longer solely about technical architecture and breach response. Today’s CISOs are also leaders and advisors in governance, risk, compliance (GRC) and business growth. And just as your responsibilities have increased with board communications, cultural leadership is the next logical step in your expanding and evolving role.

Here are some strategic tips to make the mission more manageable.

Keep the board in the loop — from cyber awareness to training

Cultural change starts at the top. Ever notice how the things talked about in board meetings and mentioned in the proxy statement magically and quickly appear in directives, memos, KPIs and goals? When the C-Suite speaks, VPs pay attention — which means regional managers pay attention, which means these issues have cascaded down to every employee at every level.

Cybersecurity works the same way. When your priorities become board priorities, these activities have a far better chance of earning the time, resources, enforcement and action of your organization.

To strengthen cyber culture, the top things you’ll need to put on the board’s radar include:

  • Employee training: How is it being done, and for which skills and threats? What have the completion rates and feedback been so far?
  • Tools and tactics: What software are you using to safeguard data, protect IP and guard your perimeters (including third-party networks and edge computing)? How are you handling access control and physical security? Is it time to shift to new approaches or technologies? 
  • Testing: How well have all of the above measures been working? Share snapshots of your testing efforts, and include penetration testing by an outside firm.
  • Your cyber team: Who’s involved in your organization’s cybersecurity efforts, from internal cyber experts to external services in areas like monitoring? Is it time to review, augment or revisit these investments?

Communicate cybersecurity’s importance across your organization

“I don’t work in IT — why should I care?”

“Cyber attacks happen all the time and the world keeps running.”

To be engaged in your cybersecurity efforts, employees in all roles need to understand what’s in it for them. Here’s where the communication skills you’ve honed with the board come in handy.

In succinct, jargon-free terms, explain to them:

  • How much business your company would lose by the day, hour or even minute if a cyber attack took your website down
  • How much a data breach would cost your organization — in terms of fines and lost customer trust
  • How a rogue employee social media account could wreak havoc for your entire organization

Use statistics and examples. Tell a story. Leverage the tools your organization already uses for internal communications and board communications — think of email newsletters, Slack channels and employee intranets. Dashboards, visualizations and customizable reporting templates all help to make your message resonate across varying levels of education and tech savviness.

Throughout, communicate the business opportunity of strong cybersecurity practices along with the risk of not having them. When customers know their data and transactions are protected, they’re more likely to do business via your apps and online storefronts. And when your company holds third-party vendors to its own stringent cybersecurity standards, the resulting resilient networks and strong supply chains keep products and services moving in a reliable, timely fashion.

A strong cybersecurity culture brings several advantages from a governance, risk and compliance management standpoint as well. In a poll conducted during the “Future of GRC” webinar, nearly half of participants reported that they communicate risk, audit and compliance (RAC) issues separately, rather than jointly, to the board — a missed opportunity for collaborative discovery. Moreover, issues like data privacy factor into ESG disclosures, audits and regulatory requirements. So, the more your team shares its progress in working towards your organization’s GRC, RAC and ESG goals, the more confident and effective you’ll all be at keeping up with these obligations.

All of this adds up to a competitive, sustainable company and more economic security and opportunity for everyone. For individual employees, this value proposition suddenly casts what had been onerous practices like password management and online training videos in a whole new light. And for leaders in other departments across the organization — like governance, risk and compliance — you’ll show that the cyber experts are team players that recognize their role in the organization’s success.


The more that we can sell that story that we really are aligned with [business] initiatives, how we’re aligned with the initiatives, why we’re making them go faster and be cheaper — that story is really compelling and effective. And the more we can frame it in that positive light, the more likely we are to get buy-in.
– Kristy Grant-Hart, CEO, Spark Compliance Consulting


Show how a strong cyber culture reduces risk

Finally, make employees in your department and across your organization feel empowered. Your organization is doing something about cyber risk, and while it’s not perfect, it’s working. Be sure to highlight your latest activities for risk management and remediation and how they’ve been going:

  • Detecting and addressing potential vulnerabilities and incidents
  • Determining probable exposure and loss
  • Reducing this exposure and potential damage

Share highlights of both your challenges and achievements. Wherever possible, use visuals and keep your messaging simple. While your colleagues in data analytics will appreciate an elegant Monte Carlo analysis, others across the firm might find this specialized detail way over their heads and subsequently tune out.

In conclusion, cybersecurity is a team sport. You, the CISO, and your team need to align yourself with the board, your colleagues in GRC and employees across the organization to make bring cyber culture and values into the broader organization.

Related Insights
Aarthi Natarajan
Aarthi Natarajan, Senior Manager at Diligent, has expertise in the governance space for both corporations and not-for-profit organizations. She has worked extensively with corporate and mission-driven organization governance technologies as well as in the changing needs of hybrid and remote workforces.