Why Managers Matter to Cybersecurity
Table Of Contents:
Managers play a unique role in their organisation—solving problems, managing risk and interfacing between senior leadership and rank-and-file employees. It is managers who turn strategy into operational success by monitoring, motivating, and leading their teams. And it is managers that also provide critical insight up the chain of command if something isn’t working. So, it should be of some concern that a recent study by the Chartered Management Institute (CMI) found the vast majority (85%) of UK managers are worried about escalating cyber-threat levels.
Fortunately, managers can also be part of the solution – by helping to build a cyber-aware culture in their organisation.
The UK Is Not Secure by Design
Secure by design is increasingly considered a strategic imperative in public and private sector organisations. In fact, it’s an approach championed at the heart of government and, in a similar way, promoted by GDPR regulators. At a high level, it means ensuring that every business practice with an IT or digital element has risk-based cybersecurity baked in from the start. However, major cultural change and awareness raising within the organisation are usually required to make it work.
At present, the UK seems to be a long way from being secure by design. The government’s Cyber Security Breach Survey 2024 highlights numerous challenges, aside from the fact that 50% of businesses (rising to 70% of medium and 74% of large companies) have suffered a breach over the past 12 months. Key deficiencies it reveals include:
- Less than a third (31%) of businesses ran cyber risk assessments in the past year. And only a third (33%) deployed security monitoring
- Only 11% of businesses review supply chain risks
- Just 30% of businesses have board members directly responsible for cyber as part of their role, a figure unchanged for a year
- Only 58% of medium-sized firms and 66% of large businesses have a formal cybersecurity strategy in place
- Just a fifth (22%) of firms have incident response plans
- Only 41% of companies seek information or guidance on cybersecurity from outside the organisation, down from 2023 figures (49%)
- Only one in 10 are aware of the National Cyber Security Centre’s 10 Steps guidance (13%) and Cyber Essentials (12%)
- Just 18% of businesses provide staff training
Against this backdrop, it’s perhaps unsurprising that UK managers are concerned about cyber threats. After all, their organisations seem poorly prepared to deal with escalating cyber risk. While it’s heartening that 79% claim to have participated in cybersecurity training or awareness programmes in the past year, only three-fifths (59%) say their employer offers regular cybersecurity training for all employees.
The Key to a More Secure-Aware Organisation
Yet managers can play a critical role in getting things back on the right track, says Ian Campbell, senior security operations engineer at DomainTools.
“Day-to-day tone and priorities are set by management, as well as delegation and empowerment. These all present great cultural and technical opportunities for securing the organisation,” he tells ISMS.online. “C-Suite and executives set the tone; management executes on it at the ground level. That positions management to directly and immediately affect front-line security culture.”
As authority figures, managers can also have a significant psychological impact on employees, which can help to build a cyber-aware culture within organisations, argues Oz Alashe, CEO and founder of CybSafe.
“Managers hold a position of authority within the organisation, which plays into authority bias—a psychological principle where people are more likely to follow the guidance of someone they perceive as an authority figure,” he tells ISMS.online.
“When managers prioritise and model good cybersecurity practices, employees are more likely to follow suit.”
It should be concerning, therefore, that although managers’ cybersecurity awareness is getting better—with 93% claiming to have an “intermediate” or “advanced” understanding of online safety practices—80% believe their digital skills still need improvement.
Leading By Example
So, what can organisations do to empower their managers to drive a secure-by-design culture? The first step seems pretty obvious: ensure those managers are adequately trained. They should understand cyber-related concepts and best practices like social engineering awareness, the need for strong passwords and multi-factor authentication (MFA), and the importance of patching. They should also have the resources, tools, policies, and processes at their disposal to spread awareness and promote best practices.
Part of this comes down to leading by example, according to Alashe.
“Managers are in a unique position to influence behaviour, not only through direct instruction but also through their own actions. When managers demonstrate good security behaviour—like reporting suspected phishing emails—they set a standard others should want to follow,” he explains.
“Additionally, managers can leverage social proof—where people look to the behaviour of those around them to guide their own actions. By creating an environment where adherence to security policies is the norm and visibly practised, managers can help establish a culture where secure behaviour is the default, rather than the exception.”
DomainTools’ Campbell agrees, arguing that managers should look to create a “culture of trust and inquiry” where staff are encouraged to report suspicious events, and are praised for doing so regardless of the eventual outcome.
“Combining that with incentives to walk the security talk rather than just preaching awareness as an extra, unfunded mandate will create a holistic security program from the bottom up,” he adds. “Empowering employees to pay attention to and question novel events is a huge step forward.”
Managers should also act as a “lynchpin” between the workforce, technical support and security operations, he adds.
“They’re the ‘supernode’ that can—and need to—pass to TechOps and SecOps reports of technical issues and workflow friction, even as they pass to their reports the reasoning for the friction and how to better work within the system,” Campbell continues. “This communications subnetwork is especially important in gauging and reducing shadow IT, one of the biggest surface-area threats any organisation faces.”
This is not an easy task even with engaged and dynamic managers. Cultural change can be challenging and takes time. Fundamentally, it must start with trust, which means returning to managerial basics and building and maintaining trusted relationships with team members.
“Find the right people, empower them, and build from that foundation,” Campbell concludes.