Unlocking cyber resilience
The role of leadership in shaping organizational culture
In the 1980s, the General Motors company was facing stiff competition from Japanese auto manufacturers, who were by comparison able to produce more fuel-efficient cars with fewer defects in a shorter amount of time. To address this, GM partnered with Toyota to open a joint manufacturing plant incorporating Japanese-style management techniques with American labor. While management tried to tackle several challenges contributing to the inefficiency of production — there was one in particular that they saw as a quick win — getting workers to show up on time.
At GM, before the collaboration, there was an extensive absenteeism problem. Whereas, at Toyota, every worker in the manufacturing line played a critical role and was timed to the second. If a worker was late, it would disrupt the entire line. So, at this joint venture, they introduced what they thought was a straightforward change — each worker would have to clock in and start on time or their pay would be deducted.
The change, however, was anything but straightforward. Workers, who were used to lax start times and no enforcement or consequences, were expected to change their behavior overnight. What leadership failed to understand was that the reasons for chronic absenteeism were varied and multi-faceted, ranging from a deep mistrust of management to peer pressure from others to not comply. For GM, what started as a policy change had suddenly become an exercise in changing the entire culture of the organization.
There are many lessons organizations can take from the experience of the GM/Toyota partnership. Organizations looking to improve or change aspects of their business must not only evaluate people, processes, and technology but also look closely at its core values and the culture that drives employee behavior. The purpose of this article is to examine the role leadership plays in creating and ultimately transforming cultures, and what lessons from this can be applied to your organization’s change efforts to be more cyber resilient.
The role of leadership in driving organizational behavior
In my career, I’ve studied the influence of leadership on organizational dynamics ranging from traditional oil and gas giants to rapid-fire tech start-ups. Where these insights are typically beneficial is understanding the impact of leadership on business results or employee engagement.
However, leadership within a company has far-reaching and deep-seeded influences on the way humans in that organization behave, from doing the right thing to the worship of greed, from prioritizing sustainability to mass production and consumerism.
Leadership can be defined as the set of values, behaviors, and dynamics that are needed to execute the company’s strategy. While many assume leadership refers simply to individuals at the executive level of management, defined more broadly it also includes the core values of the company. Companies often articulate what leadership means to them in a set of competencies and/or attributes that they expect leaders to emulate.
The values of the company are often shaped by the industry and the markets in which they operate. Retail companies value customer-centricity. Technology companies value speed and innovation. When a company is clear on its values, leadership then becomes the vehicle that shapes the internal culture of the company through the influence of its leaders. Leaders communicate the vision, role model behaviors, reinforce company values, and make decisions that shape its future. As Schein* notes, “Leaders don’t just influence culture; they are the primary architects of it.”
So, what does that mean in the context of organizational culture? Schein helpfully defined organizational culture as “a pattern of thinking that a group has learned while solving problems that are then taught to new members of the group as the correct way to perceive, think, and feel about those problems”. These thinking patterns then lead to certain behaviors that then get reinforced when others in the group are seen displaying those behaviors.
The model below illustrates how what is visible to others (behaviors) has much deeper roots and meaning to a company than just the behavior on its own.
The way you perceive and think ultimately leads to how you will behave and react. This is how culture influences behaviors that then become second nature and thus difficult to change.
Changing company culture
So, what can General Motors teach us in the application of culture change?
One. Recognize that behavioral change does not happen only by forbidding behaviors. If you dig into the behavior of absenteeism in the case of GM, it is clear that the roots of that behavior went deep and needed to be understood and addressed first. Not doing that may mean that individuals will eventually go back to their old ways.
Two. Reconcile where there are competing values. It is helpful to look at the degree to which the culture of the company could conflict with the new behaviors the company wants to instill. Imagine the culture of the company is one of speed, agility, and “ask forgiveness, not permission”. Could implementing even more rules, procedures, and bureaucracy be viewed as conflicting with that culture?
Three. Tackle change from all angles. That means the company must change both what people do but also how they think. If one were to look at the iceberg model, that would mean initiatives aimed at both above and below the surface:
Above the surface, companies must be clear on the behaviors they want employees to adopt and communicate those expectations clearly and often.
Below the surface, companies need to define and incorporate their core values into the mindset of employees and therefore part of what it means to be a leader in the company.
Many companies do the first, but not as many do the second.
Instilling cyber security into the culture
The idea of transforming cyber security from a department to a culture has become prevalent.
According to IBM Security’s Threat Intelligence Index, human error accounts for 95% of cyber security breaches. Because people are so complex and unpredictable, addressing the human factor is a lot more difficult than implementing processes and technologies.
As a result, building cyber resilience into company culture requires a shift in both mindset and behavior. Here are 8 ideas that will help organizational leaders reinforce cyber security as a culture based on key principles of successful culture change initiatives:
Your leaders are either helping or hurting your efforts to create a cyber secure culture. If they are not taking it seriously, undermining the messaging, or exhibiting behaviors that are not secure, your job will become infinitely harder. Getting leaders who are influential to take every opportunity they get to talk about cyber security will have exponential effects on how effective policies are. Find your champions and work closely with them so they can be visible promoters.
There’s a saying that what gets measured gets done. Consider what metrics around cyber security can be openly shared with the organization and share them often with specific examples and stories.
To change an old pattern of thinking, one has to be led through a new pattern of thinking. When assessing training, look for options that allow participants to work through complex scenarios and allow for discussion and dilemmas, and not just click through e-learnings. They say you retain only 10% of what you are told, but 90% of what you practice.
Encourage leaders to share stories and examples of cyber incidents and the human behaviors that played a role in them, both positively and negatively. Leaders should be at the forefront of every incident, communicating outcomes and role-modeling behaviors they want to see in others. Consider all-hands meetings or town halls as great forums to share these stories.
Shift framing from negative behaviors to positive behaviors. Psychological studies have shown that positive behaviors, or those framed positively, align more with a positive self-concept and therefore are much more likely to be followed (e.g. Negative framing: “Do not do this…” vs. Positive framing: “Do this…”)
Actively recognize and reward individuals who report potential threats or vulnerabilities, particularly if they work outside of the security function, highlighting that cyber security is everyone’s responsibility.
Onboarding is usually a key moment to create affiliation and a sense of belonging, as well as a great time to introduce the culture of the company. New employees can be introduced to cyber security policies and guidelines from day 1, thereby immediately understanding its importance and expected behaviors.
Consider how cyber security knowledge and practice can be assessed during the hiring process. Leaders coming into the organization already possessing a high degree of risk awareness will also reinforce the right behaviors with their teams.
During my time at Cloudflare, I have seen firsthand how these principles in practice can affect an organization. Take for example training. I’ve heard horror stories of colleagues scheduling time with executives to stand next to them while they take they’re annual security awareness training. At Cloudflare however, our executives are typically the first to get the training done. Leading by example in this small way helps to make policies more effective.
Rethinking organizational culture
Change takes time to take root. After the GM/Toyota partnership encountered its initial setbacks, many of the cultural changes they implemented finally started to land and have a positive impact.
GM’s persistence in the face of those initial challenges should be a positive lesson for CISOs who might be feeling discouraged or frustrated — if behaviors were easy to change, their job (and frankly mine) would be much easier. When it comes to the people part of cyber security, it requires going deeper than the surface level and looking at what is at the core of the company.
At Cloudflare, we have embraced cyber security as a core value and both leaders and employees are enabled and encouraged to participate in a security culture. Having the processes and technology already in place allows leaders to focus on the people aspect and lean into the opportunities this cyber resilience has created.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
*Schein, E.H. (2010). Organizational Culture and Leadership
Author
Xiaolu Coenen — @xiaolucoenen
Head of Global Leadership Development, Cloudflare
Key takeaways
After reading this article you will be able to understand:
How to approach the people aspect of organizational change management
The role of leadership in shifting mindset and behavior to accomplish change
8 ideas that reinforce the culture of cyber resilience