Exploring the Link between Cybersecurity and Organizational Culture
At this year’s Pink-LATAM conference, discussions centered around Agility, Business Value, Risk, and…Culture. The growing emphasis on culture and behavior in IT conferences highlights their crucial role in the digital transformation of organizations, not only within IT but across the entire enterprise. As organizations increasingly recognize the vital role of IT in their operations, a shift in mindset and behavioral change becomes necessary, particularly in the field of cybersecurity.
To shed light on the interplay between Risk and Culture, GamingWorks facilitated an Oceans99 business simulation workshop.
The Objectives of the Simulation
The simulation aimed to:
- Explore the impact of cybersecurity on the entire organization
- Utilize the CSX (Cybersecurity Nexus) framework for analysis and improvement
- Identify key learning points and takeaways
At the start of the session, the delegates were asked, “What are the key cybersecurity-related issues within your organizations that we want to address in this simulation?”
Current Issues Facing Organizations
The issues raised by the delegates included:
- User awareness
- Compliance with policies and regulations
- The impact of excessive policies and controls on agility
- Lack of policy enforcement
- Limited knowledge about customers and the business
- Disruption caused by new technologies and security controls
- Safeguarding all forms of data
- Access management
- Corruption
Behaviors and Culture Take Center Stage
It is evident that behaviors and culture are critical challenges facing organizations. To address these concerns, the Oceans99 simulation game was designed. In the game, the owner of the Bank of Tokyo seeks to exhibit three prized objects in Tokyo, while a criminal group called Oceans99 aims to steal them. The stakeholders in the game use information systems for planning, managing, transporting, monitoring, and selling tickets, providing multiple opportunities for Oceans99 to exploit vulnerabilities.
During the game, the participants were tasked with designing a Security Policy, conducting a Risk Assessment, and formulating a Strategy for investing in security countermeasures. The CSX ‘COBIT 5 – Model Behaviors in Cybersecurity’ framework was used throughout the exercises to reflect on the team’s performance and identify areas for improvement.
The Reality of Neglected Behaviors
One notable occurrence during the simulation was the team’s failure to actively engage with all stakeholders to identify critical information assets. Instead, they focused solely on physical objects like the car, diamond, and painting, neglecting crucial data such as route maps and credit card information. This limited approach extended to their failure to define clear responsibilities and accountabilities, especially concerning the board and business users.
The Call for Business Involvement
The simulation revealed a lack of involvement from users in shaping cybersecurity policies and concepts. COBIT 5 emphasizes the importance of “Treating the Business” and gaining a comprehensive understanding of vital assets, an aspect that was lacking in the team’s approach. Users also lacked a clear understanding of their responsibilities in shaping cybersecurity policies and concepts. Additionally, the importance of regularly updating cybersecurity concepts, policies, and standards in response to evolving daily realities was not recognized or acted upon.
A recent McKinsey report titled ‘Defending Your Critical Digital Assets: Not All Strategies and Data Are Created Equal’ highlights the need for organizations to prioritize assets of utmost importance. This finding emphasizes the need for a business understanding of critical assets and the risks they face.
The Urgent Need for Change
It is evident that cybersecurity is not solely an IT issue. CISOs and IT security specialists lack a deep understanding of the business implications surrounding critical assets. Without business accountability for identifying and protecting these assets, organizations face significant, hidden risks.
The subsequent exercise focused on Risk Assessment. COBIT 5 states that users should be sufficiently aware of the risks, threats, and vulnerabilities associated with attacks and breaches. However, the participants struggled to fill out the Risk forms due to their inadequate understanding of vulnerabilities. This gap highlighted the need for awareness training.
During the exercise, several stakeholders, including the owners of the Amsterdam and London Museums and the transport manager, fell victim to phishing emails. Although Las Vegas suspected a phishing attempt, it was dismissed by the CISO. Unfortunately, none of these incidents were logged as cybersecurity-related attacks. CSX emphasizes the importance of detailed knowledge of past attacks and incidents in supporting risk assessment. This further underlines the need for awareness training.
Takeaways from the Simulation
At the end of the session, the delegates were asked, “What did you discover in this session that you will do differently in your organization?”
The key takeaways included:
- Focusing on critical assets in collaboration with business owners and key users
- Utilizing a list of acknowledged issues to update policies, integrate them into incident management and monitoring, incorporate them into risk management, and review them in relation to critical assets
- Using the list of issues and real examples in awareness training to make everyone aware of critical assets and their impact
- Ensuring that awareness training is complemented by checks (e.g., phishing mail checks) to reinforce and correct behaviors until they become habits
- Involving all stakeholders, including the board and senior executives, in awareness training
- Aligning awareness training with the ‘COBIT 5 – Model Behaviors in Cybersecurity’
- Conducting risk assessments with the participation of all employees, with the CISO providing necessary training and making it an ongoing exercise
- Employing incident monitoring as input for risk assessment and awareness training
- Seeking external expertise for vulnerability checks to stay ahead of the curve
- Adopting a holistic approach to risk assessment, considering information, systems, physical assets, people, and culture
- Involving multiple stakeholders in policy-making, rather than solely relying on the CISO
- Building a business case for countermeasures based on critical assets’ impact on the business, with incident monitoring informing the decision-making process
- Ensuring top management involvement, commitment, and accountability, particularly at the board level
- Promoting effective end-to-end communication and understanding of policies, procedures, and critical assets
- Establishing a coordination role with a comprehensive vision to embed cybersecurity across the organization
- Utilizing a framework or best practice methodology such as CSX, with a specific focus on ‘Model Behaviors’
- Recognizing the power of the simulation game to illustrate the impact of misalignment and foster attitude and behavior change
The simulation proved to be a valuable learning experience for the delegates, prompting them to rethink their approaches. “This was eye-opening,” said one delegate.
The Overall Significance
Based on my experience conducting this simulation with several teams and CIOs, it is clear that there is insufficient focus on what CSX defines as ‘COBIT 5 – Model Behaviors in Cybersecurity’. Furthermore, awareness training tends to be generic and not tailored to specific organizational contexts and learning needs. It often remains a one-time exercise with little follow-up to embed ‘model behaviors’ into the culture and turn them into habits. While board members are becoming increasingly concerned about cybersecurity, they do not see it as a cultural change issue and fail to take responsibility. In all the sessions I’ve conducted, risk exercises primarily concentrate on IT-related risks and countermeasures.
Another vital takeaway is that cybersecurity plays a critical role in IT governance. Organizations must prioritize IT governance to achieve their IT transformation goals, focusing on benefits realization and risk optimization. Despite COBIT 5 being an industry-recognized framework for enabling Governance of Enterprise IT (GEIT), it is underutilized and poorly implemented. One of the key enablers for IT governance, according to COBIT, is the ‘Culture, Ethics, and Behavior’ enabler. However, guidance in this area is lacking, despite its popularity as shown by my highly accessed blog post. I urge ISACA to prioritize the production of guidance in this area and promote COBIT not just as an audit tool but as a means to address the pervasive issue of enterprise and IT alignment—the number one concern for CIOs according to the BITTI publication ‘Trends in Enterprise IT & OT.’
In conclusion, it is clear that we should not continue to ignore the model behaviors required for effective cybersecurity and IT governance.
Conclusion: So above is the Model Behaviors in Cybersecurity: Ignoring the Need for Change article. Hopefully with this article you can help you in life, always follow and read our good articles on the website: Megusta.info
