Security Staff Acquisition & Development

Creating a CyberCulture

Author: Matt Loeb

When growing up, many of us probably heard warnings from our parents to be careful in certain environments—the local woods, a busy side street, or at the beach.  Our parents cautioned us out of concern for our well-being, and it served a purpose.

Their warnings were meant to raise our awareness of our surroundings, and ensure we would exercise care when appropriate. They reminded us that the safety of our environment depended upon the decisions we made. Today, we would be well-served to add one more domain to those dangers areas drilled into us: the world of cyber.

Like the woods and the beach where we played when we were young, cyber offers a great amount of reward, tempered with significant risk if we’re not prepared.

How do we evolve to a CyberCulture, though? How do we convince people that, for all the positive potential of technology, there is a dark side as well? How do we especially reach today’s digital natives, who have grown up largely responsible for their own security in cyberspace, and take security somewhat for granted?

First Step to CyberCulture

It starts with an initial decision: at what level should cyber security be a part of our daily lives? For a CyberCulture, in which security is a top-of-mind concern, the answer is simple—cyber security should be as prevalent in our lives as possible. There is one security measure that comes to mind that’s prevalent anywhere we look, from shopping carts, to cars, to airplanes, regardless if we are in Kenya, Kolkata, or Kentucky.


Cyber security needs to become the modern-day equivalent of seatbelts that can keep us protected when we are navigating down new roads at high speeds.   Yes, cyber security is a ‘security’ issue—but it’s a safety issue as well, for all of us. Nations, enterprises and individuals need strong cyber security—and all these entities need it for both safety and security. Most significantly, cyber security needs to become pervasive at all of those levels, and no one level is more important than another. To create a safe, secure CyberCulture, people, enterprises and nations needs to function in as complementary and synergistic a manner as possible.

For nations and governments, cyber security must be a prime concern, across the breadth of government, at all levels, and in all functions of government. Last month’s DefCon 2017 gave us an object lesson in protecting the entirety of governmental operations, when conference attendees hacked various election equipment in a matter of hours. Assessing the capabilities—and vulnerabilities—of that equipment should be as regular an activity in government as ordering office supplies. It should be part of a CyberCulture.

For individuals, the journey towards a CyberCulture should begin as early as possible.  We need to make cyber security and good ‘online hygiene’ part of core curricula at the pre-university level, to imbed the concept of security online at the earliest possible levels, and ensure that tomorrow’s digital (and eventually cognitive) natives don’t make cyber security an afterthought. Much like many universities already include humanities or similar courses as graduation requirements, we need to give similar importance to cyber security courses at the university level.

Rethinking All of Your Hires

And, just like we would subject potential candidates for a cyber security post to an evaluation of their abilities, maybe it’s time to start evaluating all potential hires—regardless of where they will work in the enterprise—on their abilities to assist in securing the enterprise through sound personal security habits. Likewise, the enterprise should be evaluated on a regular basis for how cybersecure its operations are, not merely from a technical standpoint, but from a cultural standpoint as well. In today’s digital economy, everything is connected; a hack of the cyber infrastructure of one enterprise imperils all with whom they work.

Creating a CyberCulture in which cyber security is as pervasive and commonplace as seatbelts isn’t a ‘nice goal’—it’s a necessity. We are all part of the digital economy now; our digital footprints span continents, borders and time zones. We’ve all helped to make cyberspace what it is today, contributing to its awe-inspiring power and frightening vulnerabilities.  It’s up to all of us to make cyber security what it can be, tomorrow, and to ensure that future digital natives continue to enjoy the positive potential of technology.

Buckle up… it promises to be a thrilling ride!

Matt Loeb is CEO of ISACA. Read more ISACA blogs here.