Culture - the flaws in human nature - eats security budgets for breakfast

YOU CAN spend any amount of money on cybersecurity, but if the organisation lacks a strong security culture, your investments will never outpace the risks. Today, the biggest cyber risk influencer is still human conduct. Ignorance, arrogance, wishful thinking, sloppiness or lack of responsibility-taking or communication are to blame for most security breaches. Culture eats security budgets for breakfast.What are the indicators of a strong security culture and how do I know if I've got one? You cannot just ask "Is our security culture solid?" because the answer to that question, irrespective of the actual situation, will always be "Yes".

You also will learn little from the size of the security budget or the headcount of the security team. A list of security products deployed is just a list. Absence of incidents tells you little, as may the presence of a few incidents. Compliance to standards does not equate to security. And cyber insurance is just an insurance.

Whatever hard metric you find, it is likely not conclusive evidence of a good security culture. On the contrary, given the complexity of cybersecurity, any list of hard metrics is bound to be too long to be practically instructive to a board member. You must look for other signals.