How Board Members Can Set the Tone for Cybersecurity Culture


The importance of cybersecurity in the current digital landscape cannot be understated. According to the National Cybersecurity Alliance, in 2021, the average cost of data breaches totaled $4.24 million, and the number of ransomware data leaks went up by 82.2%.

These realities stress the necessity of a cybersecurity culture where all employees embrace better security practices. Workplace culture begins with members of the leadership and permeates throughout the organization. Board members can help set the tone for making cybersecurity a priority in the workplace culture and encourage executives and employees to follow suit.

What is a Workplace Cybersecurity Culture?

Cybersecurity culture indicates how much your company values IT security. It’s the collective mindset your company has about cybersecurity. What separates cybersecurity culture from strategy is that culture includes people, not just technology and processes. It fosters engagement with cybersecurity, making it easier to establish unified and official approaches to managing cyber risk. It exercises collaboration to enhance cybersecurity at scale.

→Is the Cybersecurity Culture at Your Business Strong? Download Our Checklist to See Where You Stand.

Since organizations operate within different industries and have unique concerns, there’s no one-size-fits-all solution for cybersecurity culture. However, the following four factors are helpful for board members at any organization seeking to promote a strong cybersecurity culture:


Board members have the power to set the tone around cybersecurity. This task requires a commitment to establishing policies and integrity to ensure all employees — from executives to entry-level workers — are held to the same standards regarding data handling and network access.


Training programs enable businesses to foster a better cybersecurity culture from the start. With training for new hires and continuing education for existing teams, you reduce the chances that employees make misinformed decisions with technology and the data in their possession.


Reporting procedures simplify employee processes for communicating cybersecurity events and can streamline incident response. Having set procedures for reporting can also help highlight areas for improvement when employees aren’t sure what to do about a particular incident.


Cybersecurity culture isn’t strictly for board members to develop. Businesses require open communication between employees, executives, and the board, where the former can share ideas for improving security, and the latter can ensure all teams stay up-to-date about best practices.

How Board Members Can Lead by Example

Culture is a powerful asset for businesses. A survey from PwC found that 69% of senior leaders at various organizations claim their culture helped them remain successful during the COVID-19 pandemic. When culture is prioritized at the board level, it has wide-reaching implications for the entire company.

Boards of directors can leverage their skills to foster a better security culture. Consider the following four techniques:

Make Cybersecurity a Priority on the Board’s Agenda

It’s unlikely that employees will prioritize cybersecurity unless they see leaders do so. Ensuring cybersecurity makes it onto the agenda is the initial part of setting the tone for a stronger culture.

What it means to prioritize cybersecurity may look different depending on the business. Boards can assess if they give IT security enough attention by asking the following questions:

  • Does the board feature at least one security expert?
  • Does the board confer regularly with the CISO?
  • Does the board factor cybersecurity into all strategic planning?
  • Has the board undergone security training?
  • Does the board use well-defined metrics to evaluate cybersecurity practices?
  • Does the board hold regular risk assessments?
  • Does the board encourage open and honest communication about cybersecurity?


Establish Clear Policies and Procedures for Cybersecurity

Culture can feel abstract; policies and procedures make it practical. They also make it easier for leaders to disseminate information about cybersecurity best practices and inform teams of updates.

However, it’s important to not mistake compliance with security when drafting cybersecurity policies and procedures. While adhering to industry regulations regarding data privacy is crucial, it’s not the same as cybersecurity. Cybersecurity goes beyond checking boxes and meeting the minimum expectations. So, organizations should regularly revisit their policies and procedures to confirm they enhance cybersecurity and reflect industry standards which are always undergoing change. Adopting the habit of ongoing review can help businesses improve their assessment and compliance efforts and prevent their policies and procedures from becoming outdated.

Ensure Employees Are Trained on Cybersecurity Best Practices

Policies provide employees with clear approaches to handling cybersecurity incidents, but teams also need training to understand cyber threats. This training can involve educating employees on types of cyber attacks, networks and datasets most vulnerable to attack, and strategies for detecting these threats.

Some leaders are reluctant to offer training due to a perceived lack of value in the investment. It’s for this reason that involving IT executives, like the CISO, in board discussions is essential.

Regularly Review and Assess Cybersecurity Risks

Boards understand risk assessments well as they use them to evaluate all strategies. The same applies to cybersecurity risk. After all, eliminating cyber threats entirely isn’t feasible. According to IBM’s Cost of a Data Breach Report 2022, 83% of businesses had more than one data breach between 2021 and 2022. In other words, encountering a cyber threat sooner or later is likely. The results of your cyber risk assessment will help you prioritize areas to address and guide you in making both short and long-term investment decisions.

Although cyber incidents can significantly impede your business, there’s a silver lining — they provide the opportunity to learn. If a cyber attack is successful, take the time post-incident to evaluate what happened and identify areas for improvement. Many businesses conduct periodic assessments of their cybersecurity risk to modify their IT strategy before an incident occurs.

An open laptop displaying four things that leadership or board members at a business can do to raise a cybersecurity culture at their organization. To the left of the laptop graphic is text that says "How board members can lead cybersecurity culture by example." In a dark blue rectangle panel beneath the laptop and text is M.A. Polce's logo and contact information including the phone number 315.338.0388, the email, and the company's web domain,

The Benefits of a Strong Cybersecurity Culture

When board members nurture a robust cybersecurity culture, the effect ripples throughout the organization. The following are just some of the many advantages:

  • Reduces the risk of data breaches and other cyber attacks
  • Demonstrates an organization takes cybersecurity seriously
  • Enables businesses to detect threats before they can impact networks
  • Creates an environment where employees can communicate honestly about concerns and are more adept at noticing problems
  • Boosts customer trust and loyalty
  • Improves overall performance


Make Cybersecurity Culture a Priority

Leadership is paramount if your business wants to enact any change in organizational culture. While all employees have a stake in cybersecurity efforts, board members have the authority to set the tone for an intentional culture.

For board members unsure where to begin with cybersecurity culture, guidance from experienced cybersecurity professionals is the ideal place to start. M.A. Polce is a managed services provider (MSP) and managed security services provider (MSSP) offering high-quality and cost-effective cybersecurity services to small to medium-sized organizations across New York State. We create long-term relationships with clients to understand their business and deliver tailored solutions. Contact us today for more information about our services.



Share with Your Network

Join Our Newsletter

Download the "How Strong is Your Cybersecurity Culture?" Checklist!