Folks that know me well know that I am an annoyingly-persistent advocate for the role of culture in security. Drucker famously said that “culture eats strategy for breakfast”, but he was only partially correct…culture eats everything for breakfast. There is no value delivered by a fancy new bit of tech that a dysfunctional culture cannot undo.
If you examine IBM’s Cyber Resilient Organization study from 2021, you will see that the top 7 reasons why cyber resilience does not improve are actually cultural (and therefore leadership) issues, not technology issues. This is true for most of the list, in fact…even the ones that appear to be technology issues on the surface.
It’s simple, but it’s not easy: if you change the tech but not the culture, none of the gains you realize in the short term will be sustainable in the long term.
