Question: Does leadership actively promote security culture through communication, example, and accountability?
Why This Matters
Culture begins at the top. When leadership models secure behavior, the entire workforce follows.
Maturity
0 — Unaware
No visible leadership involvement in security awareness.
No visible leadership involvement in security awareness.
1 — Ad Hoc
Occasional messages from IT or HR.
Occasional messages from IT or HR.
2 — Defined
Leaders endorse annual campaigns and policies.
Leaders endorse annual campaigns and policies.
3 — Managed
Executives participate in training and town halls.
Executives participate in training and town halls.
4 — Integrated
Leaders share security success stories and metrics.
Leaders share security success stories and metrics.
5 — Optimized
Leadership culture KPIs embedded in performance reviews.
Leadership culture KPIs embedded in performance reviews.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Invite executive endorsement for awareness campaign. |
| 1 → 2 | Publish CEO/CISO messages on security day. |
| 2 → 3 | Include leaders in training and town halls. |
| 3 → 4 | Share success metrics and stories company-wide. |
| 4 → 5 | Add security culture objectives to leadership KPIs. |
Enablers
- People: CEO, CISO, Communications Team
- Process: Plan → Communicate → Reinforce
- Technology: Intranet, email campaign tool, dashboard
Evidence
- Leadership communications
- Event photos or videos
- Executive meeting minutes
KPIs
- Number of executive endorsements per year
- Participation rate of leaders in training
- Security messages published internally
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Comms | Mailchimp Free Tier | Broadcast updates |
| Intranet | WordPress / Mattermost | CEO blogs |
| Tracking | Airtable | Campaign log |
Common Pitfalls
- Leaders delegate awareness entirely to IT
- No visible tone from the top
- Messages lack authenticity
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | 5.1 (Leadership and Commitment) / 7.3 (Awareness) |
| DPDP Act 2023 | Sec 10 (Accountability and Governance) |
| NIST CSF 2.0 | GV.OV / PR.AT |
| NIRMATA Mapping | AC-Q08 drives leadership tone for security culture. |