In a new survey on cybersecurity culture, 90% of the nearly 5,000 technology professionals who participated identified a gap in their existing culture and the cybersecurity culture they would like to have, according to ISACA and CMMI Institute.

The Cybersecurity Culture Report revealed the results of more than 4,800 technology professionals surveyed about security awareness and behaviors in enterprises, particularly how awareness integrates into daily operations and leadership priorities.

"Cybersecurity management is critical for successfully securing a modern, digital organization," said Kai Roer, CEO of CLTRe. "Building and maintaining security culture is a process. It requires a number of steps, and when done correctly, it will both boost the security culture and provide documentation and stepping stones to close the gap between as-is and to-be states."

According to the survey, though, a mere 5% of respondents said their organization is well positioned to mitigate both internal and external threats. Only a third (34%) of respondents are aware of the role they play in creating a cyber-aware culture within their organizations, suggesting that many companies are not effectively getting the message out to all employees that they are a first line of defense when it comes to cyber-attacks.

“Enlisting the entire workforce to mitigate an enterprise’s cyber risk is an emerging practice,” Doug Grindstaff II, SVP of cybersecurity solutions at CMMI Institute, said in a press release. “We are hearing a lot of feedback about how organizations can move the needle on employee involvement. It’s challenging, but organizations are rightly concerned by the growing sophistication of cyberattacks.”

In fact, the survey found that in the small number of organizations that are satisfied with their cybersecurity culture, there is a strong correlation between widespread employee involvement and a security-minded culture. Within those organizations that have successfully created a cultural shift, 92% indicated that top executives embrace their cybersecurity awareness programs and demonstrate a deep understand of the underlying issues.

Yet 42% of organizations have not developed a cybersecurity culture management plan or policy, which ISACA said is the first step in building cybersecurity culture. The survey found that a lack of funding is a significant hurdle. Those companies that don’t yet have the culture that they want are spending only 19% of their annual budgets on training and tools, whereas those who believe their efforts to create a cyber-secure culture have been successful are spending 43% of their annual budgets.

"Spending on security culture is a crucial part of a security program," said Roer. "However, not all organizations are the same, and not all industries require the same level of security. It is, therefore, our opinion that benchmarking annual spending is not giving an accurate image of the needs to build and maintain good security culture.

"Instead, we suggest that creating a good understanding of the organizations current security posture, including its risk profile and risk acceptance, is key to success. Combine that analysis with a security culture benchmark, and you get a very potent perspective on where you are, where you want to be, and in addition, all the ammunition you need to get the funding you need, be it 19% or 43% of your annual security spending."