“Risk is not knowing what you are doing.” -Warren Buffett
After studying and advising on corporate culture for 35-plus years, I have developed a twist on Warren’s sage quote. Mine goes like this:
Risk is also not knowing what your culture is doing.
We know by now that corporate culture is critical to business success or failure. Compare the stellar performance of Southwest Airlines to the hubris and fraud at Volkswagen, or the fall of the once revered Wells Fargo bank. And corporate culture has a huge role to play in cyber security.
A false sense of security?
I learned to drive in the US, where stop signs and later traffic lights were the norm. My first encounter at a UK roundabout was as a tourist, and it was a mess- not only was I driving on a different side of the road, and from a different side of the car, but I was totally ignorant of the “rules” related to roundabouts.
It’s easy to understand how traffic accidents happen when a driver is ignorant of the rules and driving “etiquette”. But what happens when we know the rules? Is there a safety difference between traffic lights and roundabouts? And if so, why? And what the heck has all this got to do with cyber security?
Accountability for road safety
Data on traffic accident rates for roundabouts, traffic lights, and stop signs, tell an interesting story.
At a roundabout, each driver takes personal accountability for their own safety and the safety of other cars. This shared accountability causes drivers to focus on their environment, and evaluate multiple scenarios for remaining safe. Of the three mechanisms, roundabouts have the lowest accident and fatality rates.
Driver behavior at stop signs is full of assumptions. If I stop, others will stop as well. Once I stop, it is okay to proceed. A lot of assumptions! And they are often false.
Traffic lights, meanwhile, are hazardous because people rely on the technology to keep them safe. Green means Go, Red means Stop and Yellow should mean caution. But when it comes to human behavior, being first, beating the light, zooming through a Yellow, are very real and often dangerous human actions. And the statistics show this clearly. Relying on technology to keep us safe is not 100% failproof.
Accountability for Cyber Security
We are losing the war on cyber security. It’s a technology arms race, with the bad actors overcoming every attempt to build cyber safe technologies, and the costs are huge- well over $1 trillion today. Each cyber breach costs the average business over $4.5 million, including recovery costs, lost revenue, and damaged customer loyalty.
Just like road safety, businesses cannot rely on technology to stay cyber safe- instead, as with the roundabout, it takes a culture of personal accountability to keep everyone secure.
Culture risks to cyber safety
Cyber safety cannot flourish amidst poor trust, stress, leadership, and communication. For employees tasked with stretch goals, cyber safety often takes a back seat. The human impact on cyber safety is massively underestimated, often in favour of technology and regulations. We need a third leg to the cyber security stool - a specifically designed cyber security culture.
PYXIS Culture Technologies uses data analytics to proactively build and manage cyber safe cultures. With over 35 years of business expertise, we understand culture as a business ecosystem of root cause factors that drive employee attitudes and behaviors. And we can now visually map these factors.
Using a combination of data analytics, systems modelling and behavioural science, we have developed a software platform to map and identify culture risks to cyber security. We also draw on an extensive library of cultural best practices to support business leaders in building a more robust cyber security culture.
Combining data analytics, technology and human behavior insights will go a long way in creating a more accountable culture that reduces cyber risks.