Introduction

October is Cybersecurity Awareness Month, an international initiative that emphasize crucial actions to mitigate Cybersecurity risks. Cybersecurity has evolved beyond simple passwords and firewalls; it now involves the complex interaction between people, processes, and organizational culture. In an era where a single click can trigger a significant security breach, establishing a resilient Cybersecurity culture is essential. This culture establishes a foundation of trust, business continuity, and ongoing success in our interconnected digital landscape. This raises an important question: What defines a resilient Cybersecurity culture? This article explores best practices informed by global standards and frameworks that are vital for building resilience within organizations.

A resilient Cybersecurity culture empowers all employees to understand their responsibilities in protecting sensitive data, reducing risks, and maintaining business continuity. Human error is a major factor in security incidents, with studies showing that approximately 95% of breaches involve some level of user involvement. By integrating Cybersecurity into the fabric of the organization, companies can minimize financial losses, protect their reputation, and avoid operational disruptions, effectively turning vulnerabilities into strong defences.

Governance and Tone at the Top

Strong governance is essential for effective Cybersecurity, with leadership playing a crucial role in establishing the "tone at the top" that integrates security as a core business value. This involves creating clear policies and procedures, defining roles, and implementing accountability frameworks that align Cybersecurity with strategic decision-making.

Best practices from the Institute of Internal Auditors (IIA) highlight the importance for boards and executives to actively engaging with cyber risks. Regular reporting and alignment with organizational objectives are crucial for this engagement. The NIST Cybersecurity Framework (CSF) 2.0 and ISO 27001:2022 recommends developing a Cybersecurity risk management strategy that includes executive sponsorship, appropriate resource allocation, and cultural integration. Leadership's active involvement can shift organizational mindsets, reduce resistance to security protocols, and embed resilience into everyday operations.

To facilitate effective implementation, organizations should:

  • Assemble a cross-functional Cybersecurity committee led by senior management,
  • Hold periodic briefings to update the board on emerging threats, and
  • Model secure behaviours ranging from the adoption of Multi-Factor Authentication (MFA) to phishing awareness.

Risk and Controls

Robust risk identification and mitigation through effective controls are essential for developing a resilient cybersecurity culture. The first step involves conducting comprehensive risk assessments to identify assets, threats, and vulnerabilities. The NIST CSF 2.0 outlines key "Identify" and "Protect" functions, along with recent enhancements to security and privacy controls.

To foster a proactive culture, organizations can implement gamified training programs that simulate potential threat scenarios, encouraging employees to report suspicious activities. Continuous monitoring through Security Information and Event Management (SIEM) systems ensures that controls remain responsive to emerging threats, highlighting the importance of ongoing risk evaluation.

Ultimately, framing risk management as a shared responsibility empowers employees and transforms potential liabilities into manageable risks.

Incident and Continuity

A resilient organizational culture must prepare teams to address inevitable challenges by prioritizing incident response and business continuity planning. The updated NIST Special Publications, updated in 2025, outlines structural recommendations for incident response processes, which include detection, analysis, containment, eradication, and recovery methods. It is essential to establish a well-defined Incident Response Plan (IRP) that clearly outlines roles, communication protocols, and methodologies for post-incident debriefs to learn from each event.

Organizations should regularly conduct simulations to develop muscle memory, ensuring rapid and effective responses during actual breaches. Integrating Cybersecurity into broader Business Continuity Management (BCM) frameworks is crucial for maintaining operational integrity amidst disruptions, such as ransomware incidents. A culture of "no-blame" reporting is vital for encouraging timely incident disclosures, thereby enhancing resilience through collective learning and adaptation.

Third-Party Risk

In today’s interconnected digital environment, third-party risks can compromise internal security efforts, making vendor management a critical component of any resilience strategy. Effective Third-Party Risk Management (TPRM) requires thorough assessments of suppliers' cybersecurity practices both before and during engagements. The expanded guidelines in NIST 2.0 highlight the significance of Supply Chain Risk Management, advocating for careful evaluations of third-party risks and recommending the inclusion of stringent security standards and audit clauses in contracts. Upcoming revisions set for 2025 are expected to strengthen these guidelines further. Additionally, ISO 27001:2022 outlines specific controls for managing supplier relationships, ensuring that vendors comply with established security protocols to protect the organization’s overall security posture

To cultivate a strong risk management culture, it is important to educate employees about the implications of third-party relationships and to integrate TPRM into procurement processes. This approach ensures that risks are managed collectively rather than in isolation.

Conclusion

Building a resilient Cybersecurity culture is an ongoing journey that requires commitment at all levels within an organization. This commitment leads to reduced vulnerabilities and increased trust. However, achieving this goal necessitates objective oversight, which is where IT internal audits and consulting come into play.

According to the Institute of Internal Auditors (IIA), internal audits provide independent assessments of controls, helping to identify gaps and ensure compliance with standards such as NIST, ISO, COBIT, ITIL 4, and ISACA guidelines. At RSM Eastern Africa, we offer consulting services that bring external expertise to benchmark best practices and implement frameworks that promote a resilient Cybersecurity culture.

References

AuditBoard. (2025, July 24). COBIT guide: Principles, enablers & IT governance explained. https://auditboard.com/blog/cobit

BlueVoyant. (n.d.). Third-party risk management. https://www.bluevoyant.com/third-party-risk-management

Cybersecurity and Infrastructure Security Agency (CISA). (n.d.). Cybersecurity best practices. https://www.cisa.gov/topics/cybersecurity-best-practices

Drata. (2025, April 29). Understanding the NIST incident response guide (Updated for 2025). https://drata.com/blog/nist-incident-response-guide

Institute of Internal Auditors (IIA). (2024, October 25). Tone at the top: The board's role in cyber resilience. https://www.theiia.org/en/content/articles/tone-at-the-top/2024/tone-at-the-top-the-boards-role-in-cyber-resilience/

International Organization for Standardization (ISO). (n.d.). ISO/IEC 27001:2022 - Information security management systems. https://www.iso.org/standard/27001

ISACA. (2025, July 9). New guidance from ISACA helps enterprises navigate NIS2 and DORA regulations. https://www.isaca.org/about-us/newsroom/press-releases/2025/new-guidance-from-isaca-helps-enterprises-navigate-nis2-and-dora-regulations

National Institute of Standards and Technology (NIST). (2025, August 26). NIST releases revision to SP 800-53 controls. https://csrc.nist.gov/News/2025/nist-releases-revision-to-sp-800-53-controls
 

Caveat

This newsletter has been prepared by RSM (Eastern Africa) Consulting Ltd, and the views are those of the firm, independent of its directors, employees and associates. This newsletter is for general guidance, and does not constitute professional advice. Accordingly, RSM (Eastern Africa) Consulting Ltd, its directors, employees, associates and its agents accept no liability for the consequences of anyone acting, or refraining from acting, in reliance on the information contained herein or for any decision based on it. No part of the newsletter may be reproduced or published without prior written consent. RSM (Eastern Africa) Consulting Ltd is a member firm of RSM, a worldwide network of accounting and consulting firms. RSM does not offer professional services in its own name and each member firm of RSM is a legally separate and independent national firm.