This Cybersecurity Month, ISC2 Insights is focusing on all aspects of the profession and asked our volunteers to answer a few questions. Today we look at what actions are proof members of your organization support a strong culture of security? ISC2 members discuss leadership buy-in, metrics and getting everyone in the organization to play a role in cybersecurity.

Everyone is a Stakeholder
Members stressed the importance of a top-to-bottom commitment from organizations. Ensuring all parties engage as stakeholders of the overall cybersecurity posture was a common theme from respondents.
The biggest indicator of a strong security culture is when security becomes second nature, said Samuel M. Tilling, CISSP, SSCP, CC. This occurs “when our staff proactively report phishing attempts without being prompted, or when project leads involve security early in the planning stages instead of bolting it on at the end.”
Joe Hawley, CISSP, had a similar take: “A strong culture is rooted in belonging. When we come together with a shared purpose—to safeguard what matters most, including our people and our mission—we build a collective strength that is difficult to break.”
Organizations should have business information security partners, he said. “These roles help connect enterprise security with business objectives, fostering collaboration and mutual respect.” Treating security like a black box, he added, makes people reluctant to engage. “When security teams remain isolated, they can unintentionally build walls that hinder progress.”
(Eric) Vu Van Than, CISSP, SSCP, CC, said a strong security culture requires leaders to view each department as critical layers of the defense strategy. “A strong culture of security,” he said, “is evident when employees at all levels.” He noted:
- Report suspicious activities without fear of blame or retaliation
- Actively participate in incident response drills and red team/tabletop simulations
- Support and comply with security initiatives and programs without resistance
Setting Goals & Identifying Metrics
Awareness training is essential to building a strong security culture. “It's important that from the top down, everyone takes part in education and training,” said Jennifer Blacker, CISSP. “If they see the CEO practicing good cyber hygiene, everyone else will as well.”
But how do you know if the training is working? Troy Goodman, CISSP, CGRC, recommends keeping metrics. Metrics indicate if employees are retaining information about security. For instance, if they are not clicking on email links to compromised sites – or doing so less frequently – it shows the training is having an effect.
Cary Vidal, CISSP, said having security-related KPIs at the organization level shows commitment to cybersecurity. “This is usually an indication that it’s valued to some extent, and if it’s measured, it will inevitably drive the culture around it.”
Metrics and goals, of course, require management buy-in, as does the allocation of resources, said Ser Dyk Aldeza, CISSP.
Bruno Chéry, CISSP, CCSP, said the security team should treat senior management as its first customer, turning them into cybersecurity advocates. “Top-management buy-in is essential. You need to help your senior management publicly support security initiatives, take the awareness training first and talk about it, and support and challenge the security budget based on actual business metrics and not feels.”
Follow along with us this Cybersecurity Month on LinkedIn as we showcase ISC2 member-driven articles from experience to guidance. If you are a small business or non-profit interested in support to drive a culture of cybersecurity, consider scheduling a free Cybersecurity Health Check, where you’ll receive a checklist to help you mitigate your cyber risk, available from ISC2’s charitable arm, the Center for Cyber Safety & Education and ISC2 volunteers.
ISC2 WebinarNew to the security industry? Or thinking about transitioning into an information security role? If so, this webinar is for you. Please join us for a virtual webinar, Security Industry 101: What Every Newcomer Needs to Know on October 15 at 1:00 p.m. ET. The session will cover what you need to know about the cybersecurity field including:
|