Five Ways to Build a Business Culture Around Cybersecurity


August 15, 2023

If you are in a high-level position at your company, you might think that your IT (Information Technology) staff has already taken care of cybersecurity. However, senior leaders play a crucial role in cybersecurity. They set an example, guide the direction, and show what is important in the company. By talking about and showing that you care about cybersecurity, you can influence your employees and build a business culture around cybersecurity

So, how can you make progress in cybersecurity? From my experience as a Virtual Chief Information Security Officer, I have seen many effective strategies used by top executives. We’ll focus on five of those strategies here today. Let’s go through them. 


Five ways to build a business culture around cybersecurity:

Technology is everywhere in your business, so cybersecurity should be too. As a leader, it is important to think about how cybersecurity fits whenever you are considering new projects. If you make this a regular part of your decision-making, your employees will follow your lead. Here are some specific ways to emphasize cybersecurity in your business. 


#1: Set clear security rules

Basic things like managing passwords, securing mobile devices, and teaching employees about security are important for everyone in your company. Making these measures mandatory and easy to follow can help. 

Give each employee a secure password vault to manage their passwords. This protects both their personal accounts and the company’s data. Remind them that writing down passwords or leaving sensitive information exposed is not allowed. 

Display posters with information security messaging, include it in newsletters, and talk about it in your communications. Train managers to enforce these rules. 

Also, make sure your employees understand the rules for using personal devices securely at work. Demonstrate model behavior by properly managing your own device(s). 

Consider using single sign-on tools with strong security measures like Duo. This makes it safer for everyone to access company systems. 

It may sound basic, but it is important for everyone to follow these rules. Everyone – no exceptions. 


#2: Invest in ongoing employee cybersecurity training

Just having policies and tools is not enough. Regular training is necessary to help employees stay prepared for the cybersecurity challenges they face every day. 

Start by training new employees in company policies. At Integris, we use online training that is easy to track. It helps employees learn about company expectations and what they need to do. 

But training does not stop there. Keep reinforcing it and testing employees every month or quarter. It is not as hard as it seems. Our monthly online training, available through an online portal, explains common threats and gives advice for each situation. After the training, employees take quizzes to test what they have learned. We also send de-fanged phishing emails to test their awareness and teach them how to avoid scams. 

You might wonder how senior leaders fit in. Well, as an executive, you should watch your employees’ training scores and use them as an important measure of how well your company is doing. Your employees are the first line of defense against hackers, so prioritizing their training is wise. 


#3: Strengthen security with regular penetration tests

We have talked about testing employees with phishing emails, but there is another test that is important: a yearly penetration test. This test simulates what a motivated hacker might do. It helps you see how well your security measures work and find weak spots. 

Make the results of these tests part of the metrics your executive team reviews every year, or even every month. This way, you can make sure your security plan is doing what it is supposed to. 


#4: Back up words with actions

Many companies think they’re compliant with applicable laws and standards. But often, when you look closely, gaps in documentation or elsewhere in the control’s environment are discovered.  

To avoid scrambling when regulators review your company, consider having a qualified Managed Service Provider (MSP) do a thorough check every few years. They can make sure your records are complete and ready for review. Regular reports, like logs of software updates, cybersecurity monitoring, and disaster recovery plans, should be part of your routine. If you keep track of these things and show your team that you are paying attention, you will be well-prepared if a problem comes up. 


#5: Lead by example in cybersecurity

It is not good if your executive team talks about cybersecurity but does not follow the rules themselves. Leading by example is important. Be the one to take security seriously, even if it is inconvenient. Show your employees that you care about it personally. 

Since executive teams often handle sensitive company data, your devices should be more secure than others’. Keep in mind that hackers often pretend to be high-level executives. Do not give them a chance to succeed. 


A Strong Cybersecurity Culture is the best defense

As a senior leader, you can help your IT team and reduce the chance of cybersecurity problems. These strategies are just a starting point. If you want to learn more about creating a strong cybersecurity program for your company, our Virtual Chief Information Security Officers are here to help. Contact us for more information.

Darrin Maggy is the Information Security Operations Manager for the Integris vCISO program. A CISSP with over 25 years of experience, Darrin provides leadership and oversight for Integris' vCISO team.

Keep reading

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...