Cybersecurity: Culture Is King

By Cathy Quon, Chris Harper, Kim Lewis and Sapna McCarthy

Chris Harper – Emerson Associate Director You’ve probably heard the saying, culture eats strategy for breakfast and that’s because culture is really hard to change.

Sapna McCarthy – Emerson Consulting Manager The organizational culture is the most important fact that you’re dealing with when you’re trying to change behaviors.

What is culture? • It’s the unspoken rules by which decisions get made. • It’s what gets rewarded and punished. • It’s a collection of very strong organizational habits.

Cathy Quon – Emerson Vice President Culture is so powerful it can actually crush its opposition. Let me give you an example. At a client where the culture was really family oriented, they brought in a new CEO whose mission was really to make them more operationally excellent. Well he did that and there were advantages to that, but at the same time, he wanted to change the culture to be very bottom line oriented. They reacted to it very poorly. And guess what? They culture won and the CEO was booted out after only about a year.

Don’t try to change your culture…work with it.

Chris Harper – Emerson Associate Director Changing culture can be really traumatic.

Cathy Quon – Emerson Vice President Trying to change culture is like trying to change the course of a road. It doesn’t work. You need to instead, be more Zen. Go with the flow. Make sure your leaders are role models for the behaviors you want to see around cybersecurity.

Kim Lewis – Emerson Client Director When you’re looking at culture change and you’re looking at cyber-attacks, the first thing really to do is understand your culture.

Who gets celebrated and rewarded? • Is it the innovator, who moves fast and fails a few times before a win? • Is it the meticulous person who gets all the facts right? • Is it the team player who shares credit and builds enthusiasm?

Talk about culture with colleagues and you’ll have a good idea. Then use that knowledge to change cyber behaviors.

“We do things fast and do not reprimand failure. We send that message with our internal hacking attempts. If you fail, it’s okay as long as we learn from it.” – Behruz Nassre, VP Technical Operations, Security & Compliance, TubeMogul

Know your culture. Use it to get the right behaviors.

John Wondolowski – Chief Technology Officer, CMI Well, there’s one really great example and I think a lot of people in security and IT know of this example, and that’s So you think about security from Salesforce’s standpoint and it really is a huge risk to their business. If they had a security breach it was so adversely impact their business it could conceivably be an existential threat to their business. So security is really, really important to Salesforce. The number one value that they’ve built the company on is trust. And the Chief Information Officer at Salesforce has done an outstanding job of drilling into that particular value – trust. And in that way, it really blocked the culture and cybersecurity into the DNA of the company.

Chris Harper – Emerson Associate Director So the best thing to do is understand your company’s culture and then work with it. So if your culture is about superstars, find the people that are doing things well and recognize them. Put them in the spotlight. If you’re all about team meeting, hold a team meeting.

If you want to change cybersecurity behavior, get your culture working for you, not against you.

Sapna McCarthy – Emerson Consulting Manager If you try to put behaviors in place that don’t jive with your organization’s culture, they won’t stand.

Chris Harper – Emerson Associate Director The thing that’s interesting to me is that you have to use the culture to your benefit. You can’t try to cheat, it’s just not going to work. So if you can align what you’re trying to change with the culture, it’s just going to naturally go and people are going to get behind it. They’ll get swept up in the river.

Cathy Quon – Emerson Vice President Exactly. So rather than changing the flow of the river, you go with it.

Chris Harper – Emerson Associate Director Well, it’s like rafting. You’re trying to steer yourself through the rapid, you’re not trying to go upstream. It won’t work.