Vernon is the Head of Organisation Consultancy at Sapphire.  

With over 25 years of experience, Vernon’s job is to share his knowledge of cybersecurity with organisations across the UK. Vernon is also a qualified trainer and certified professional who holds three certified actions: information security management, governance, and risk management. 

We spoke to Vernon about cybersecurity, his thoughts on a proactive approach and why cybersecurity culture is important.   

What does your role entail, Vernon? 

My role is to work with senior management in giving them a deeper understanding of cybersecurity. Most organisations don’t know enough about cybersecurity as they still see it as a technical issue rather than a cultural one.  

I still remember the days when cybersecurity was called IT security and then information security! 

So, what is cybersecurity culture?   

It’s an exciting concept and one that many people don’t grasp.   

Organisations today can potentially fall victim to a cyber-attack or cybersecurity outage. This is a threat that can cause severe damage to their ability to operate and their infrastructure.  

Cybersecurity culture is more than just raising awareness. Cybersecurity culture requires the whole workforce to know what a risk is, and the processes needed to avoid this risk.  

It’s therefore vital that organisations have adequate procedures in place for both internal and external communications to be proactive in cybersecurity. 

To do this, you need to establish key goal indicators such as developing internal communication channels for all staff and external communications (websites, events, and presentations).  

Many organisations feel, especially at a senior level, is the organisation’s vision of cybersecurity and its importance to service delivery. For example, if they get hit by an attack, can public relations discuss cybersecurity issues confidently?   

We tend to see the BOD (Board of Directors) suggesting that organisations have been hit with a sophisticated cyber-attack, and sometimes this is not the case. What is required is to have a cybersecurity strategy that outlines how an organisation can deal with cyber-attacks.    

Why is it essential to invest in an excellent cybersecurity culture?   

As a result of threat actors and ransomware as well as one major attack after another, organisations are finding it difficult to recover. 

Rather than solely focusing on technology alone, a cybersecurity strategy needs to be based on six key pillars or foundations, and this covers effectiveness:   

  • Governance   
  • Cyber risk management   
  • Cyber security management framework   
  • Cyber incident management and response   
  • Cyber change management of emerging technologies   
  • Cyber communications and understanding   

Against each of these, you should have a crucial goal and key performance indicator to measure over time.   

How does a living security culture happen?   

Living security culture must come from the top cybersecurity governance where senior management and boards get together.  

Both can direct and control cybersecurity, so it is a matter of them assuring that the strategy aligns to support corporate objectives, making sure it’s applicable with objectives and making sure it’s in line with internal policies and controls. Most importantly, a living cybersecurity culture must ensure that it’s a shared responsibility so everyone can be part of the organisation’s security.   

Cybersecurity governance needs to contain both preventative and reactive methods as well as a focus on detection and acknowledging that attacks can be successful. From this, we need to make sure we align the right roles and responsibilities, set the policies, and prepare for incident management and response.   

One of the key things we see now is that so many technologies, such as the cloud, make it easier to compromise an organisation. We’ve got to be aware of the tactics taking place, and we’ve got to establish this shared responsibility because it’s crucial. The more everybody is engaged, the more we can stop and avert or minimise the impact of these cyber-attacks.   

Why is it hard for companies to instill cybersecurity culture?   

Effective risk management against these threats enables business agility, and ethics, behaviour and competency are necessary to maintain cybersecurity culture.  

Organisations can only build business assurance with adequate security built into supplier relationships, and effective cybersecurity is good for business continuity. The best way to instil cybersecurity culture is vis the acronym below: 

S-Security Committee Responsibilities   

T- Total Assurance    

E-Effective Risk Metrics   

E- Efficiency Risk Metrics   


Globally, the best one is ISO27001 & 02- this is where the standard is being revised. It covers three principal areas:   

  • Information security   
  • Cybersecurity   
  • Privacy   

This is important as it enables organisations to look at the control framework from different perspectives.   

This can also be looked at from security domains, and one of the key ones is resilience.  

One of the things I would push is that we need to develop good KPI’s- the ability to show commitment to a cybersecurity framework that addresses both technical and non-tech areas. This enables an organisation to pass any tender and auditing requirements, ensure conformance to expectations and meet stakeholder expectations.   

To me, the foundations have a practical cybersecurity framework, and the ISO is the standard which is the best way to adopt it.  

Thanks for your time, Vernon! 

To learn more from our expert team, don’t hesitate to get in touch with us here! 

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *