Keri Pearlson likes to learn – and teach.

But she never imagined that those two traits plus an expertise in organizational management would lead to her current role of executive director of cybersecurity in MIT Sloan, leading the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC)3.

“I’ve only been in cybersecurity for five years,” said Pearlson, who started out as a systems analyst at Hughes Aircraft Company and has held teaching gigs at Babson College and The University of Texas at Austin. She also worked in industry at Gartner’s Research Board, CSC, and AT&T.

Click here for complete coverage of SC Media's 2020 Women in IT Security

Pearlson founded the CIO advisory services firm KP Partners, as well as the IT Leaders’ Forum, a community of next generation IT executives. She also serves as the founding director of the Analytics Leadership Consortium at the International Institute of Analytics.

When she started in her current role, Pearlson says, “I felt overwhelmed by how much I didn’t know.” But in that short time, she’s amassed research, and her group has created a blueprint for organizations to build a culture of cybersecurity and trust for sharing mitigations for breaches.

“Classic training classes are important, but not enough” to lift awareness and ensure that employees don’t make their organizations more vulnerable to cyberattack through risky behavior, said Pearlson.

“We know what people do during compliance training,” she said. “They’re not 100 percent focused on training.”

Instead, Pearlson has invested in “changing attitudes, values and beliefs” to establish a cybersecurity culture, an initiative she says can draw from marketing principles and managerial tools to be successful.

Key to change is understanding a business and its objectives – and how employees think. She points to operational technology environments, where safety on the factory floor is of paramount importance and now baked into corporate culture. “Someone might get hurt,” said Pearlson. “They understand that.”

Pearlson suggests a multi-prong approach, starting with a performance evaluation, then the establishment of penalties and communications that start at the top of the ladder with the CEO. “There are dozens of examples of having someone own it,” she says. “Culture doesn’t get the attention if it’s one person’s job.”

Delivery of training and education matters as well. In an instant learning culture, people want to learn where and when they want. It’s important to keep employees engaged, perhaps developing training models that leave “students” wanting more. “People can’t wait for the next module,” she said.

Even small gestures can reinforce security training and slowly change culture. At one company, employees would “go to the bathroom and find little messages” encouraging them to be aware. In a work-from-home environment, those “Post-It notes can be replaced with virtual alternatives.”