How Your Org Chart Can Reflect a Culture of Cybersecurity at Work

How Your Org Chart Can Reflect a Culture of Cybersecurity at Work

The Need for a Culture of Cybersecurity at Work

According to IBM Security’s 2019 Cost of a Data Breach report, “The average total cost of a data breach in the U.S. has grown from $3.54 million in 2006 to $8.19 million in 2019, a 130 percent increase over 14 years.” What does this mean for organizations looking to prevent data breaches and security incidents? It means that in order for organizations to adequately prepare to deal with today’s cyber risks, avoid costly fines and penalties for non-compliance, and give clients the peace of mind they deserve, their corporate structure should reinforce a culture of compliance – one that is strongly embedded into the organization, clearly visible in the company’s org chart, and focused on cybersecurity.

Cybersecurity is a Company-Wide Effort

Establishing a culture of cybersecurity at work is no longer just a best practice – it’s absolutely necessary. But for many organizations, initiatives that emphasize both cybersecurity and compliance haven’t been a major focal point for departments outside of IT. Because IT has traditionally been the sole bearer of cybersecurity and compliance initiatives, cybersecurity and compliance best practices are only seen as a small component of the business strategy instead of being a strategic initiative in itself. In order to make this happen, a culture of cybersecurity should be embedded into every aspect of your organization – even in your org chart. While it will depend on factors like your organization’s size, industry, budget, or personnel experience, there are typically three ways to emphasize cybersecurity through your org chart: top-down, bottom-up, and network. Whichever way you structure it, there needs to be clear lines of communication between personnel vertically and horizontally.

3 Ways an Org Chart Reinforces Cybersecurity

Top-Down Org Chart

Perhaps the most common org chart is the top-down structure; it starts with the Board of Directors and ends with entry- or low-level employees. In order to emphasize a culture of cybersecurity at work in this org chart model, the Board of Directors needs to set the tone for compliance initiatives. This means that in the company’s business strategy, cybersecurity and compliance will be strategic initiatives and not merely a responsibility that IT reports on. A basic rendering of a top-down org chart might look something like this:

Top-Down Org Chart

Bottom-Up Org Chart

Opposite to the top-down org chart model, bottom-up org charts are less common but empower lower-level employees to take part of the culture of cybersecurity at work. In these models, low-level employees often feel like they have a greater role in creating and maintaining a culture that focuses on cybersecurity and compliance because they understand that their day-to-day tasks play a key role in the company’s overall business strategy. This org chart also opens up more lines of communication between upper management and lower-level employees, as employees are likely to feel more empowered to identify and report on issues when they know that their bosses will listen to their concerns and make corrective actions when necessary. A bottom-up org chart typically looks like an inverted pyramid, like the following:

Network Org Chart

More and more businesses are relying on third-parties to supply information security services for their organization, especially those companies who don’t have the time, budget, or personnel resources to meet their growing cybersecurity needs. But when major components of the business are outsourced, maintaining a culture of cybersecurity and compliance becomes more difficult. By developing a network org chart, businesses can clearly see where they’ve outsourced components of the business, where they’re located, who is responsible for overseeing those vendors and their compliance efforts – all while showing where in-house departments are, who oversees them, and what tasks they’re responsible for. A network org chart might look something like this:


Regardless of the org chart model your business uses, ensuring that every employee knows who they need to be communicating with is essential, especially in regard to a culture of cybersecurity at work. If you’re looking to revise your company’s org chart, let’s chat so you can find out how KirkpatrickPrice can help!

More Cybersecurity Resources

How to Lead a Cybersecurity Initiative

Auditor Insights: Compliance from the Start

Fact or Fiction: Everything You Need to Know About Leading Compliance Initiatives