Top Culture Transformation: Strategies to Employ in Your Organization

Culture is not a project to be completed and checked off a list. It's an organic thing that is the result of many interconnected things happening across an organization or team.

Investing in a human-centered cybersecurity culture is not quick and easy. But the rewards of the investment are tremendous. The list below represents a whole host of tactics you can try out within your team or larger organization to improve the culture. This is based on the cultural pillars we've discussed around high-performance cybersecurity culures.

Five pillars of a high-performing cybersecurity culture
Five pillars of a high-performing cybersecurity culture

Let's dive in!  


Celebrate successes (big and small)

Not everything is going to be a home run, and sometimes people need to feel appreciated and recognized for the small stuff. This could be improvements in operational tasks. It could be someone who delivered outstanding customer service on something.

Promote employee well-being

Take some time to promote and outline the well-being of your team. This might mean encouraging physical or mental health in and outside of work. It might mean taking time as a team to dial the stress down and do something fun. Make this work in the context of your team and organization.

Provide awards to recognize and reinforce positive behaviors

Everyone loves awards and they don't have to be large to let somebody know that they're doing something well. Here are a few ideas that you could consider employing:

  • Custom stickers
  • T-shirts
  • Shout outs in team meetings
  • Positive note sent to the person's manager
  • A team-based award that is held for a period of time and moved around

Job rotation opportunities

Foster learning opportunities by giving people the opportunity to change things up, work with a new team, or shadow a leader for a little while. Learning with low-risk hands on experiences is a fantastic way to promote more cross-functional knowledge and experience across your teams.

Removing Blame

Run blameless post mortem discussions

A blameless postmortem is precisely what it sounds like. A postmortem without finger pointing. It assumes that everyone acted with good intentions and whatever happened is just a problem that now needs to be dealt with, together.

Atlassian has a fantastic guide on running a blameless postmortem and how to incorporate some of this practice back into your broader culture.

Watch how your team talks about others

Do the pentesters love to finger point at the developers for writing bad code? Does your team blame the sysadmins for not applying their patches without care for what else they have going on? This needs to stop. It's not security versus everyone else. Embrace empathy in your team for what everyone else in the organization has going on.


Enumerate stakeholders

There are usually a lot of stakeholders in a cybersecurity program. These people and teams rely on what you do and the services you provide. Spend the time as a team to sit down and enumerate all the stakeholders you can think of in a space or format that will be easy to maintain over time. Here are some things to break down:

  • Name of the team
  • What is their primary goal
  • Any part of cybersecurity they particularly care about
  • Any known pain points

Hold regular office hours

Set up a time on the calendar when you will be predictably available and in the same place to chat, answer questions, and help. Consistency is part of the trust-building process; it doesn't have to be an excessively long time or happen more than monthly.

Get into the habit of regular retrospectives

Retrospectives are dedicated time to sit down as a team and reflect on what's working, what's not working, what to start, and what to stop. There are many approaches to use or specific leading questions that could be asked as a frame for discussion within a retrospective. The major benefit is the dedicated time to come up from "heads-down" work to reflect, learn, and pivot.

Check out this guide from Lucid Spark which goes deep into running an effective retrospective.

Check in with people

How could you possibly know how things are going if you don't ask? There are many ways to do this, and you'll need to experiment here to see where you're getting valuable information and engagement. Here are some things you can try:

  • Run periodic pulse surveys and measure the results time over time with structured questions like NPS or "one word to describe X"
  • Sit down and have 1:1 chats from time to time with people outside of your direct reports.
  • Host small group coffee chats with random groups of people from time to time. Let them know you're hoping to really hear and check in on how things are going.


Incorporate human-centered design (HCD) practices into new projects

Human-centered design (HCD) is the practice of putting people at the center of design, which informs how work products are created to serve those people. This is about understanding who they are, their pain points, the opportunities ahead of them, motivating factors, etc. Working HCD into your projects will help you build confidence that what you're building will actually add value. The conversations you're going to have in this process will also build trust along the way.

The following Harvard Business School article goes deeper into HCD.


Hold an ask me anything (AMA) session

An AMA is similar in nature to office hours, but it's more intentional about fielding questions. The preference for such an event is to make it as open as possible to help drive openness and transparency. Try to avoid any kind of planted questions, scripted questions, responses, or rigidness. Use the time to be yourself and be open to the questions that come your way.


Evaluate hiring processes for diversity and equity

Work with your HR/people operations team to look at your hiring processes. Are opportunities open to everyone? Are there any parts of the hiring process that would lead certain people (such as a single parent) to not participate? Are you writing job requirements in such a way that it discourages certain people to apply?

We go into more detail on this in our article on fostering equity in cybersecurity teams.