When referring to cybersecurity within an organization, how long does it take to change a culture inside of an organization? How can you know if the new culture is rooted within the organization? When should you expect to “reach” that change?
If you believe you can answer these questions with actual value, your company may not be ready to take on a new culture. This is because a culture change happens when an organization adapts the new mindset and builds its image around it. In cybersecurity and organizational management, a company deciding to adopt a new culture must implement it with not just two-part epoxy but two-million-plus-part epoxy so the hold is permanent.
If your vision is to create a new culture, you must implement it. This sounds logical, but Todd Jick (2001, p. 36) suggests that the likelihood of a vision failure occurs when 90% of the time spent on the new vision is all talk (deciding the ins and outs) and only 10% is in the actual implementation of the vision.
To prevent a failed vision, implementing a cybersecurity mindset means changing your culture by creating a vision with cybersecurity at its core values and purpose, making audacious goals, and reimaging a future that aligns with the new culture (Collins & Porras, 2005). A culture change and all its nuances may not happen overnight, but the decision to change the way of thinking to allow for a new culture to start can.
Collins, J., & Porras, J., (2005). Built to last: successful habits of visionary companies. Random House.
Jick, T.D. (2001), Vision is 10%, implementation the rest. Business Strategy Review, 12: 36-38. https://doi.org/10.1111/1467-8616.00190