Embracing a Culture of Cybersecurity

Authors: GRIMM CEO Jennifer Tisdale and Senior Principal Researcher Matt Carpenter

Cyber adversaries are becoming more skilled -- and more ruthless. Cybersecurity Ventures projects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025. Given the scope and scale of what's at stake, companies should not hesitate to embrace and incorporate cybersecurity into their organization's culture.

What is at Stake? 

Cybersecurity risks vary based on the industry an organization serves but the risks are certainly not limited to:

  • Intellectual Property (IP); 
  • Technical Data; 
  • Employee, Consumer or Patient Personally Identifiable Information (PII);
  • Advanced and Additive Manufacturing Production Quality; 
  • Industrial Control Systems (ICS) for Power & Energy, Water Treatment, Oil & Gas, or Nuclear Energy; 
  • Financial Systems (Electronic banking, Point-of-Sale (POS) Systems; 
  • Medical Device functionality; 
  • Functional Safety for Public and Private Transportation Systems
  • Brand management
  • Legal and liability protections

So how do you nurture a culture of cybersecurity that tasks every member of your organization with embracing attitudes and beliefs that drive secure behaviors? 

Nurturing a Culture of Security 

Cybersecurity culture is a subset of the overall corporate culture. It harnesses beliefs and values to promote secure behaviors by employees in everyday work activities. 

The process involves:

  • Educate and provide cybersecurity training and awareness across the organization; 
  • Implement a long-term strategy across the team organization, inclusive of many teams, not just the technical departments.
  • Institute a layered approach to cybersecurity and remember to think of security as a verb or action and not simply a noun; 
  • Outline your goals. Understand the organization’s risk tolerance and where the risk exists; 
  • Personalize the experience. An Incident Response (IR) plan should meet and address the organization’s unique concerns and needs; 
  • Practice IR through thought or Tabletop Exercises; 
  • Do not hire a cyber consultancy that does not outline its exit strategy.

By intentionally weaving cybersecurity through organizational policies and practices you create a proactive culture shift and collaborative approach where everyone is responsible.

The Future of Cybersecurity is People-Driven. 

It's also time to create a narrative that empowers employees to become one of your greatest cyber ambassadors. The best approach to keep people engaged and build a security culture is to personalize their experience.  

Inspiring your teams to take ownership of their digital security will help if your approach to secure culture and education is personal. People need to see their own stories embedded within our culture. You can achieve this "all in" mentality by incorporating security at the highest levels into your vision and mission. Internally at GRIMM, we align our teams to underscore the importance of security from the highest levels. Our strategy includes C-level execs, individual managers and team leads.

Your Employees are your First and Middle Lines of Defense and the Greatest Attack Surface.

Your employees, contractors, and consultants must be well motivated to act as the first defense against cyber threats. If you want your employees to take ownership of cybersecurity:

  • Ensure you share the bigger vision through transparent communication to build trust and clarity.
  • Foster collaboration by involving them in the conversation. Be open to suggestions and insights.
  • Make it easy for them to do the right thing at all times.
  • Embrace a constructive approach instead of being punitive.
  • Let the executives lead by example.

"Employees may help reduce risk by good cybersecurity practices (part of Prevention), and they may discover oddities and signs of compromise (part of Detection)," said GRIMM Senior Principal Matt Carpenter. "They are certainly one of the critical ways malware (aka Implants, or C2 endpoints) finds its way into a corporate network. Click here, Install this plugin, Free <blahblahblah>, MUST ACT NOW! Manipulating people has been the most constant successful attack, long before computers were invented." 

Moving From Words to Action

When trying to build a culture of cybersecurity — start small. Regularly conducting red-team exercises (including social engineering, adversary emulation, and penetration tests) can also help spur employee engagement. By taking the time to understand and implement the necessary security measures, businesses can protect themselves from cyberattacks and ensure the safety of their data and information.


If you connect it, WE protect it. GRIMM experts provide turnkey cybersecurity solutions for the most complex connected networks, systems and products. Contact our team today to increase your cybersecurity posture.