It all begins with the company Thanksgiving Lunch, then the whole next month is just a wave of snacks and parties and big dinners - a great time to overindulge! Then after Christmas it occurs to us, “I have been eating way too much and it’s time to get back in shape and “get healthy”. 

Then the New Year's resolutions kick in, and we plan, invest in gym clothes, gym membership, watch YouTube Videos on healthy diets, workout routines. We are on track with the healthy eating and the diet plan and trips to the gym.

Stay with me now, I promise this is not a fitness blog - it will all make sense in a moment.

Everything’s going great - and then Valentine Day arrives.  You and your partner go out for dinner, you celebrate your success at working out with a little dessert and a glass of wine; maybe just a taste of all the things you've been missing... This is the start of the plan unraveling, you start indulging in breaking small rules and going off track with your healthy lifestyle. Then before you know it, the diet is forgotten and you haven't been to the gym in weeks.

How does this relate to Security culture?

When an organization builds a security culture, it can't be like a New Year's resolution. Security culture isn't a fad diet to adopt and drop later.

Just like healthy lifestyle choices, security culture is better built slowly, with small changes every day - rather than going hard and burning out in a few months.

When a Chief Information Security Officer (CISO) or a VCIO has a conversation with you on building a security culture to protect the organization, think of it as if your general physician is guiding you to plan your meals according to the food pyramid, with balanced portions of protein, grains, vegetables, fruits, and dairy.  Only in the organization's case, maybe the "food pyramid" is the cybersecurity practices outlined in NIST 800. 

When the VCIO or the CISO is talking about building and implementing the security culture, he is speaking like a physician asking you to practice simple healthy habits.  Simple healthy habits are easier to keep up, long term, and have better long-term effects for your health.

Doing the same with healthy digital practices will keep your organization resilient. Understand that organizations, just like people, will eventually get "sick" - but having healthy habits will help you recover faster.  What the CISO or VCIO is trying to avoid is a "trip to the emergency room" in the form of a cyber incident.   Which would create chaos in the organization; leading to crippling losses, time loss, longer recovery time, forced behavior changes, and the list goes on...

If you implement healthy digital habits, it will make your organization resilient and also make your employees aware of their own personal digital habits. Personal or professional, healthy habits are worth cultivating, every day.