Introduction

In the fast-evolving landscape of cybersecurity, it's not enough for organisations to simply adopt a framework or set of technical controls. The true essence of cybersecurity resilience and sustainability lies in the cultural fabric and governance structures of an organisation.

Let's embark on a journey through the ups and downs of a hypothetical organisation's cybersecurity program to understand why culture and governance are key pillars in the battle for digital security.

Hypothetical scenario

Imagine an organisation, like many others, spurred into action by a significant cybersecurity event or an internal mandate to improve cybersecurity. Recognising the urgent need to fortify their defences, they select a cybersecurity framework and controls library, mobilise teams on fixing technology, and kickstart a cybersecurity program. Initial efforts yield promising results, with an uplift in posture and a sense of accomplishment.

However, as time passes, cracks begin to emerge in the once-thriving program. Progress slows down, and teams, consumed by day-to-day operations and competing priorities, start to lose focus, revert to old ways of working, and begin to neglect cybersecurity practices. The sense of urgency wanes, and without cultural change or clear governance structures, adherence becomes inconsistent.

Eventually, the program stagnates, and the organisation finds itself grappling with a sobering realisation, they may be remediating risks and vulnerabilities while the program is in play, but once the focus shifts, risks and vulnerabilities resurface.

So, what went wrong?

The missing piece of the puzzle lies in the overlooked aspects of culture and governance. While the chosen framework and controls library may have addressed the technical aspects adequately, many organisations lose sight of the importance of embedding a culture of security consciousness across the organisation.

Culture is the bedrock upon which cybersecurity resilience is built. It's about instilling a mindset of awareness and accountability across every level of the organisation. Preparing to uplift cyber maturity and redefine priorities requires a considered investment in people, culture, and governance. Without cultural change and robust governance practices, resilient and sustainable cybersecurity practices remain elusive.

The above scenario underscores the critical need for cybersecurity frameworks to explicitly integrate culture and governance aspects to better support organisations who are just starting their journey, as it's far too easy to get carried away with tactical remediation activities. Culture and governance will enable the organisation to continuously evolve and adapt to a shifting landscape.

Frameworks and standards such as the NIST Cybersecurity Framework (CSF) and ISO/IEC 27000, emphasise the importance of governance alongside technical controls. By incorporating these considerations, they provide a more holistic approach to cybersecurity.

However, for Australians familiar with the ASD/ACSC Essential Eight mitigation strategies, the need for culture and governance is equally paramount. While the Essential Eight calls out critical mitigation strategies, organisational change remains implied and can easily be overlooked. Hence, it's incumbent upon organisations to proactively integrate these pillars into their cybersecurity program to ensure long-term cyber resilience.

Shifting the needle on culture and governance

Before embarking on your cybersecurity program, start with the why and work with teams and leaders across the organisation to bring them up to speed with the need for change, the backing motivation, increase in priority, and ensure that open discussions can be had in a safe space. You are after all asking teams to incorporate additional concerns, considerations, and effort into their day to day, and some may be more ready and willing than others.

In addition to the why, a clear and on-going communication channel needs to be established between teams and leaders, to support conversations that will arise out of prioritisation conflicts when the rubber meets the road. While the cybersecurity program may be new, established teams will have quite extensive backlogs and roadmaps, and these will need to be adjusted and reviewed regularly to ensure that the organisation is taking a balanced approach and is focused on desired outcomes.

Taking teams and leaders on the journey and building champions is critical as the cybersecurity team can't be in every conversation across the organisation and should instead focus on supporting and guiding the organisation to ensure that it is operating within its desired risk appetite, acting as a strategic advisor.

Governance and metrics are equally as important in successfully managing a resilient and sustainable program that is working to deliver organisational change. The program must be able to quantify whether the underlying uplift initiatives are moving the needle strategically, or simply providing tactical remediation.

Initial metrics don't need to be complex or advanced, as you won't have the required data early in the program, and initial metrics could be as simple as measuring engagement by tracking how many risks and incidents are being raised. Engagement is especially important as you need to cultivate an open and safe culture where teams feel safe to speak up, ensuring that your organisation is not blind sighted by critical risks. The breadth and depth of metrics can be expanded over time, and as capability matures.

Irrespective of how your organisation embarks on this journey, it's important to move beyond the tactical items and not lose sight of other critical initiatives such as raising awareness and education, defining policies to set requirements and scale the program, integrating cybersecurity risk into your organisational risk register, and developing incident response plans and capability to prepare your organisation for a cybersecurity event.

Conclusion

In conclusion, the resilience and sustainability of an organisation's cybersecurity program hinges not only on technical measures, but also on cultivating a culture of cyber awareness and establishing robust governance practices. As cyber threats continue to evolve, organisations must recognise the relationship between technology, culture, and governance in safeguarding their digital assets.

Only through a unified approach can we navigate the complexities of cybersecurity.