Eggo Waffles weren’t always called Eggo Waffles. In the 1950s, in the boom that followed World War II, Americans began a love affair with frozen foods. Frank Dorsa and his three brothers in San Jose California had been running a highly popular mayonnaise business and had expanded into powdered waffle mix, but demand for their mix had started to evaporate. The problem was that making waffles was a lot of work.
Frank was a bit of an inventor, so he created a giant waffle-making machine using a merry-go-round engine and number of electric waffle irons. Thousands of waffles were frozen and shipped every day. But the name, the “Froffle,” was a flop. Instead, customers called the waffles as “Eggos,” referring back to the distinctive egg taste of the Dorsa brother’s mayonnaise. The name, like the waffles, stuck around.
The Kellog’s Company bought the Eggo waffles line in 1968, and four years later they introduced the slogan “L’Eggo My Eggo”. The marketing campaign would be one of the most successful of all time, continuously running for 36 years. The commercials depicted kids and parents in an escalating struggle to maintain possession of their precious frozen waffles. The message was clear: the waffles were so good, if you weren’t careful, someone might steal them from you.
In my conversations with CISOs and CIOs from across the country, there is usually an expectation that the CISO create a “culture” of security. One person can’t create a culture, nor can one person acting alone change a culture that already exists. Leadership guru Peter Drucker is widely credited with creating the phrase, “Culture eats strategy for breakfast.” Drucker’s message is that an organization’s culture is much more powerful in creating success than the strategies that the executives come up with to drive an organization forward. To be clear, strategy is important. But when an organization values empathy and empowerment, where employees take responsibility for their own results, and where innovation is fostered, the company has a greater chance of succeeding.
Just like delicious waffles, culture also eats cybersecurity for breakfast.
Cybersecurity culture is only one facet of an organization’s overall culture and needs to be considered as a part of a larger whole before changing. For example, a company may have a high-pressure culture where employees are expected to respond to an email instantly. What hope is there to identify and respond to red flags in phishing messages if this culture is in place? On the other hand, what if the industry or the job is so competitive that changing that aspect of the culture would mean going out of business? Drucker’s advice is essentially that we should have empathy for our employees, and blaming hardworking people our cybersecurity woes can blind us to this.
If it’s true that culture eats cybersecurity for breakfast, then we should be able to test this theory. If the theory is true, then a company with a poor culture, no matter how much they focused on cybersecurity would more often be hacked or breached due to rogue insiders or individuals not following policy or controls. Glassdoor lets current and former employees of companies post reviews from 1 to 5 stars about what it was like to work at a company, which provides a simplified way of measuring culture to test our theory. Comparing the Glassdoor ratings of a company like Equifax and its competitors, TransUnion and Experian, provides a great case study. Equifax currently has a Glassdoor rating of 3.0, while TransUnion rating sits at 3.9 and Experian’s 3.7. I should note here that Equifax’s rating a year ago was a 3.4 and has declined steadily while both TransUnion and Experian have both risen.
To further test this theory, I looked at the Glassdoor ratings of nearly 400 companies that have been breached in the last year and found that the ratings for these companies are noticeably lower than the average rating for other companies in the same industry. But perhaps more troubling is that companies with a rating from 3.0 to 3.4 are three times more likely to have been breached than those with a rating above 4.0. And none of the companies that had multiple breaches in the last year had a rating above 4.0. This doesn’t mean that a company with a low rating will automatically be breached. There are many reasons why a company with good security and a great culture might get breached – perhaps they are just a bigger target. And this list doesn’t account for companies that have been hacked but haven’t yet realized it. But this does demonstrate how a company’s overall culture plays a significant role in cybersecurity.
Cybersecurity, is at its core, a leadership issue. The apparent correlation between Glassdoor rankings and breaches gives us yet another indicator in how correct Drucker’s wisdom on culture really is. And this provides even more incentive for us to improve, not just our cybersecurity, but our culture overall. To borrow a quote from Benjamin Franklin, “We must, indeed, all hang together, or most assuredly we shall all hang separately.”
The importance of eating breakfast is a part of our culture today, but it wasn’t always the case. It was John Harvey Kellogg, the founder of the famous Kellog’s foods company that cemented the idea of eating a nutritious breakfast as a key to good health. Before the 19th century, most people usually ate whatever was at hand before starting the day. This meant breakfast for most people was leftovers from the night before. Kellog’s created the phrase, “Breakfast is the most important meal of the day” to help sell cereal that was fortified with vitamins. This wasn’t just a marketing campaign: Kellog found a way to get people to take their vitamins and live a measurably healthier life in the process.
You can’t change a cybersecurity culture without changing the culture of the business. And employees can’t love cybersecurity without loving the business. Make them love the business so much they can’t “L’Eggo” and a security culture will follow right behind.