Skip to Content
Cyber and Privacy Risk and Insurance

Leadership in Developing Cultures of Security

Mark Lanterman | September 21, 2018

On This Page
Malicious hacker from behind in a hoodie using a computer

As large-scale data breaches, social media gaffs (my last article was on Roseanne Barr's terrible tweeting this past spring), ransomware attacks, and other cyber events light up our news feeds, large and small organizations alike are reviewing their cyber-security protocols with new interest. Organizations are held accountable to an unprecedented degree for their handling of technology and personal data.

With mass media coverage and largely negative perceptions of organizations that fall prey to cyber attacks, I would say it's one of the few instances in which the victimized party is actively blamed by the public over the attacker. Clearly, cyber security and data management ought to be top priorities for all members of an organization, not just the information technology (IT) department.

The Importance of Leadership in Cyber Issues

I have found that in many cases, "top-down" leadership is notably lacking in many organizational settings in spite of any written policies or practices. That is to say that leadership is often nonexistent in upper management and IT departments, and lower-level staff members are left scrambling when things go awry. Since no one wants to correct their boss, upper-level employees seem to have a free pass when it comes to ignoring or altering the practice of cyber policies. In all sectors, this is detrimental to everyone.

Within medical settings, this can translate as compromising patient data. For the entertainment industry, scripts can be leaked. For insurance companies, client data may be stolen and sold on the Dark Web. When the consequences for nonexistent or weak cyber-security policies and reporting mechanisms are severe, upper management leadership is the difference between staying afloat or drowning.

In this article, I will discuss the importance of dedicated cyber-security roles in governance, communication between IT departments, and upper management leadership in creating and implementing mitigation and response plans.

Governance in Cyber Security

Having dedicated cyber-security personnel helps to ensure smooth security governance procedures. Governance in cyber security essentially boils down to knowing who is responsible for doing what in your organization, when and how they're going to do it, and who is accountable for things that don't go according to plan.

Strong governance frameworks largely depend on having strong support from the top down, with one key person responsible for cyber security. The position of chief technology officer is typically implemented as a way to have a go-to person for cyber security, someone who will ultimately be held accountable for security-related incidents and problems with protocol implementation. Education and training programs for employees are also responsibilities that fall under this role. Regular reporting of security assessment and vulnerability scanning results that consider critical assets also fall under this role, as communication with all stakeholders is imperative to both creating and sustaining viable cyber-security strategies.

With a strong role in place for cyber security, communication across departments is critical when it comes to strategy and large-scale implementation of written practices. When concern for cyber security is kept within the IT department, and upper management is slow to admit room for improvement, cultures of security cannot exist. Developing a culture of security is an ongoing process that requires education, training, responsiveness to the people at the forefront (IT departments), upper-level buy-in, and, most of all, constant communication about current threats and suggestions for improvement.

For example, phishing attacks are now a consistent threat across sectors. It doesn't matter anymore how large an organization is or what type of data is being stored, all organizations are being targeted by this simple, yet incredibly effective, cyber attack. Its effectiveness is largely due to the fact that phishing attacks do not take advantage of vulnerabilities found in technology. Rather, phishing attacks target people by tricking them into providing personal information by redirecting them to fake websites or into downloading malware to their systems.

Communication Is Key

Social engineering attacks can result in tremendous amounts of damage to an organization's financial bottom line, its functioning in the short-term, and its reputation in the long-term. With mass media coverage that seems to occur instantaneously, reputational damage is a constant risk posed by cyber crime as the public continues to demonstrate a very low tolerance for the mishandling of data. Communicating information to employees about the dangers of phishing attacks and providing education about spotting these types of scams, and how to report them, are critical.

Effective communication across departments is an important element of leadership and the type of support needed to make a culture of security. Developing cultures of security is much more intensive than writing a set-it-and-forget-it list of procedures that is reviewed annually only to be forgotten again by everyone except the IT department. While everyone is responsible for the successful carrying out of cyber-security strategies on a day-to-day basis, it is critical that an organization's governance framework is not so diffuse that it is impossible to pinpoint exactly who is in charge and accountable when it comes to managing cyber-security plans.


Having a designated security role is especially important in the event of a data breach or other cyber event that leaves an organization needing to mitigate damages. Having a specified framework, and a groundwork for accountability and mitigation steps, is very important to combating cyber attacks when they inevitably occur.

In spite of best efforts to implement proactive measures, such as the types of education and training designed to help employees recognize phishing attacks, many believe that becoming victims of cyber crime in this day and age is somewhat unavoidable. While this is up for debate, it is nevertheless true that, to some degree, it is likely. Having response procedures in place that lay out the responsibilities of involved parties saves organizations valuable time and energy in the event of a cyber attack. Instead of scrambling to put together a strategy once a breach or event has already occurred, mitigation plans that take into account security assessment results, public response and outreach, and any trusted vendors to assist in recovery help organizations take the first steps out of an attack.

Establishing a culture of security does not mean that an organization aims for a 100 percent success record; rather, it means having a solid security posture with an up-to-date pairing of proactive and reactive strategies for when something does go wrong.

Effective cyber-security postures are only as strong as the leadership that supports them. Without senior level buy-in, the best-written policies are useless, and technological safeguards are often not enough to keep an organization secure when social engineering attacks are often a hacker's favorite tool. Dedicated cyber-security roles that support communication across departments and the development of strong mitigation and response plans, in addition to the implementation of proactive measures, are elements of how leadership can support cultures of security. Leading the cyber-security charge from the top makes all of the difference in a world that increasingly distrusts organizations that become victims of cyber crime. When personal data is at stake, accountability and maintaining public trust requires constant leadership support.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.