Boards must drive an organisation’s culture
It has often been said that boards must drive an organisation’s culture. Is this true? According to NED and cyber psychologist the simple answer is yes, and here’s why.
Carol Brooks is a business and cyber psychologist interested in cyber investigations and how boards create a total cybersecurity culture. Carol has years’ experience in the public and academic sectors at the board level, working with directors and senior teams and has been a non-executive director with the NHS.
Carol also provides consultancy, training, and development within law enforcement, including counter-terrorism and serious and organised crime at local and national levels.
Carol is a member of the British Psychological Society and the Association for Business Psychology and is the MD of Platinum 3p.
Key takeaways – boards and culture
- If you think about culture, you think of it as the feeling of an organisation – it’s the way we do things around here, it’s how people feel about the organisation.
- Culture is also about what we hear, what we see, how people behave, how the organisation is designed.
- Cyber culture involves more than just the tech side, it has to be broader, and organisations need a more comprehensive, more holistic view.
- The total approach to cybersecurity culture is about the people and the human side of the business, it’s about ensuring everyone is on the same page.
- Behaviour drives culture. How do people make decisions, what actions do people take? These are indicators of an organisation’s culture.
- Boards and senior leadership teams have to drive culture. If cybersecurity, for example, isn’t discussed as a priority at the top level, then a good culture isn’t manifested.
- Culture is like a melting pot of organisational factors that make an impact. Behaviours are the outputs.
- Good culture emerges from the top of an organisation. Are issues like cybersecurity talked about in a good way or in a bad way? Is there a non-executive who is the champion for cyber culture?
- There is an expectation that senior leaders embrace good practice and good cybersecurity culture. If they don’t, bad things will happen.
- Senior leaders need to be tuned in to threats. They need to understand what could happen.
- When disaster strikes, it usually has to do with poor decisions made at the board level.