Skip to main content

Improving Cybersecurity Culture: Insights from Delta Air Lines, Yahoo, and American Express

July 6, 2023  | By: Ben Care

Enhancing Cybersecurity Culture: Lessons from Industry Leaders

Ok, so what is organizational culture? It is commonly defined as the shared values, beliefs, and behaviors that shape how a company functions. A strong culture brings people together, tapping into their individual strengths and personalities towards a common purpose. With such a cohesive culture, team members build trust, communicate effectively, and collaborate to be successful in any endeavor, including cybersecurity! We’re going to look at three companies that each took major strides to improve their cybersecurity culture.

Delta Air Lines is a major player in the airline industry, and as such, the company has a significant amount of sensitive data that must be protected. Delta Air Lines has implemented a corporate governance framework to oversee their cybersecurity program. This structure ensures that there is clear ownership and accountability for cybersecurity across the organization, and it helps to align cybersecurity efforts with the company’s overall business objectives. Their corporate governance framework is designed to support the company’s brand attributes (trust, security, and integrity) and to promote the achievement of their financial targets through responsible development and execution of corporate strategy. By prioritizing cybersecurity within its corporate governance framework, Delta Air Lines has created a culture where cybersecurity is viewed as an essential part of doing business. This culture helps to ensure that cybersecurity risks are identified, assessed, and managed effectively and that the company is better positioned to prevent, detect, and respond to potential cyber threats. Implementing a corporate governance framework has helped create a strong cybersecurity culture within Delta Air Lines, where all employees understand the importance of cybersecurity and are actively involved in protecting the company’s systems and data.

A poor cybersecurity culture can lead to dire consequences for organizations, as demonstrated by Yahoo’s massive data breach in 2013 [see link here], with subsequent legal and financial repercussions. However, when disaster strikes, the best thing to do is to make sure it does not happen again, and Yahoo took significant steps to improve its cybersecurity program in response. Let’s look at one of their improvements. Through encouraging a culture of reporting, Yahoo creates an environment where employees feel comfortable reporting potential security incidents or concerns, which can help them detect and respond to cyber threats more effectively. This is important because employees are often the last line of defense against cyber-attacks, and their vigilance and awareness can help to prevent or mitigate the impact of a cyber incident. When employees understand the risks and consequences of a cyber-attack, they are more likely to take security seriously and make informed decisions about their online behavior. These efforts have helped to improve Yahoo’s cybersecurity posture and ensure that the company is better positioned to detect and respond to potential threats and create a cybersecurity-aware culture where employees understand the importance of cybersecurity and take proactive steps to safeguard their data and systems.

American Express is a global financial services company that recognizes the importance of cybersecurity in protecting its customers’ sensitive information and maintaining its reputation. To improve its cybersecurity culture, American Express has implemented a comprehensive cybersecurity awareness program. This program includes regular training sessions, workshops, and simulations that help employees identify and respond to potential security threats. The program also covers topics such as password management, phishing, and social engineering. By implementing such a program, American Express is demonstrating a commitment to cybersecurity at all levels of the organization. The program helps to create a culture of security where employees are empowered to take an active role in protecting the company’s information assets. This, in turn, can lead to a more vigilant and proactive approach to cybersecurity, reducing the risk of cyberattacks and data breaches.

Yahoo Delta Air Lines American Express
Implemented security policies and procedures Multi-factor authentication Implemented a security incident response plan
Regular security awareness training Upgraded security monitoring systems Invested in security technologies such as encryption and data loss prevention (DLP) solutions
Encouraged reporting Developed a cybersecurity awareness program Established a cybersecurity awareness program
Security incident report plans Conducted regular cybersecurity testing and training Third-party risk management
Invested in security technologies Corporate governance framework

As you can see from the table, there are a lot of similarities in the ways these companies have improved their cybersecurity culture with all of them having some sort of focus on cybersecurity awareness. Yahoo’s security awareness training is a critical aspect of its cybersecurity culture. Implementing regular security awareness training for its employees helped to establish a culture of security within the company. Delta Air Lines’ cybersecurity awareness program has played a crucial role in improving its cybersecurity culture by educating employees about the latest cyber threats and best practices for protecting sensitive data, including an expert speaker series along with awareness and engagement events and team participation in National Cybersecurity Awareness Month. In Addition, they have established a dedicated Information Technology (IT) Risk team tasked with the goal of ensuring that risk remediation activities are carried out consistently and that risk remediation controls are operating as intended and within established thresholds.  Finally, American Express has a strong cybersecurity awareness consisting of regular training, workshops, and simulations. Some example topics covered are password management, phishing, and social engineering.  

So clearly, we can see that all three companies have prioritized security awareness training as a key component of their cybersecurity culture and here at cyberconIQ we agree! By educating its workforce on the latest cybersecurity threats and how to identify and avoid them, these companies empowered their employees to be the first line of defense against potential cyberattacks, which ultimately leads to a better understanding of the importance of cybersecurity and their role in maintaining it.  

These outcomes align with what we at cyberconIQ strive for with our cybersecurity awareness training – or education. More than awareness, we empower users with a personalized approach that is proven to reduce human-factor cyber risk, protecting your company and keeping the company’s systems and data secure. When you as an employee understand the potential risks and consequences of their own risk-style, you can make better informed decisions – minimizing risky online behaviors. Our enhanced Security Awareness Training approach can play a crucial role in improving a company’s cybersecurity culture. By empowering employees with our patented approach, they leverage more than just knowledge and skills to identify and respond to cyber threats, they become an integral component in creating an enhanced cybersecurity culture to help prevent cyber-attacks before they happen.  

In conclusion, cybersecurity culture is an essential aspect of any organization’s security posture. Developing a strong cybersecurity culture requires a comprehensive and innovative approach that includes implementing security policies and procedures, conducting ongoing and enhanced security awareness training, encouraging a culture of reporting, establishing a security incident response plan, investing in security technologies, and continuously monitoring and improving the security posture. As demonstrated by the examples of Delta Air Lines, Yahoo, and American Express, prioritizing cybersecurity and investing in awareness and training programs can help to establish a culture of security within an organization. Cybersecurity culture is not a one-time effort, but rather a continuous process that requires ongoing vigilance, awareness, and improvement to keep up with the evolving threat landscape. 


For more information on improving your existing security awareness programs, lowering your human risk, and creating a Security First Culture®, contact us today.