Friday , 21 September 2018
Home » NEWS » THIS WEEK’S GURUS » 5 ways CEOs can create a culture of improvement vs blame when it comes to cybersecurity
Rick McElroy, security strategist, Carbon Black
5 ways CEOs can create a culture of improvement vs blame when it comes to cybersecurity

5 ways CEOs can create a culture of improvement vs blame when it comes to cybersecurity

For those of you who haven’t come across one yet, I have written a series of articles recently focused on CEOs. In these articles I have been looking at a number of questions a CEO should be asking when thinking about the cybersecurity stance of their organisation. So far, I have discussed the importance of critical data encryption, safety programmes, and how to create a healthy company culture towards cybersecurity, among other topics. In this article, I will discuss why organisations should have an ongoing, continuous assessment plan.

Continuous improvement seems like common sense for any function but after meeting with teams all over the world, I can say it isn’t that common. For a security function to be successful, there should be a process for continuous improvement. This could arguably be the trait that separates successful programmes from ones that aren’t. Too often, security becomes rigid without a loop for improvement.

As your organisation grows and evolves, so must your cybersecurity program. Risks, threats and vulnerabilities change over time. Business models change. All of these factors matter for a programme to evolve and constantly improve.


The inputs to security assessments vary and can be built internally. There are also plenty of qualified external entities that can help assess the programme and put a plan in place for continuous improvement.


What are the five steps to creating a culture of continuous improvement?


  1. Set goals for excellence and measure against them.


For cybersecurity to be successful, the mission of the programme, goals, and success metrics should be agreed upon and reported on regularly. Maturing your programme will take a steady hand and patience at your level. Changing missions or strategies too often is a sure way to miss any security goal you have.


  1. Eliminate fear


For continuous improvement to be successful, your organisation needs a culture where failure is OK. If your employees are afraid to bring up issues, you will never improve. Employees also need to feel like management is addressing failures when it occurs. Having a great process in place with a feedback loop to improve will ensure a culture that minimises fear and maximises improvement. It’s also amazing for employee engagement.


  1. Actively manage the process


As with any process, continuous improvement should be managed. The outputs of managing this process may include both tactical and strategic efforts. Your team should have a process to manage and report up to appropriate levels on these efforts.


  1. Train and develop leaders with the same mindset for improvement


Leaders in your organisation should be trained on improvement techniques and best practices. They should also be rewarded for offering improvement suggestions and, more importantly, for executing on the efforts needed to improve. These types of employees and leaders should be developed and retained to maximise the continuous improvement cycle at your organisation.


  1. Focus on fixing, not blaming


Far too often, we see CISOs and cybersecurity leaders being blamed and/or replaced as the result of a failure. This has to stop. What other function in an organisation is held to the standard of needing to be 100% right all of the time? In almost every case, a breach is systemic and there are multiple points along the timeline that lead to the breach.

Creating a culture that focuses on improvement versus blame will create a ripple effect in your organisation allowing leaders to operate more freely. Things will happen. Acknowledge that failures will happen. Acknowledge that people will make mistakes. It’s not what happens when someone makes a mistakes or when something fails but how your organisation responds. Cybersecurity isn’t about perfection. It’s about failing fast, iterating, and constantly improving.

About Japonica Jackson

Japonica is head of editorial at IT Security Guru. If you'd like to get in touch with Japonica, please email