The Need for a Cybersecurity-Centric Business Culture
Building a culture of cybersecurity is achievable by acknowledging its importance and consistently reinforcing that message.
October 18, 2023
Highly experienced information security team in place? Check.
Leading endpoint detection software and monitoring in place? Check.
Multifactor authentication enabled on all environment entry points? Check.
By all accounts, cutting-edge technology and skilled cybersecurity resources should be the end of the story for ensuring network integrity, right? If only it were that simple. With a recent survey indicating that 74% of cyber incidents include a human component to enable a threat actor, a company must do more to ensure a culture of cybersecurity and to protect its organization.
So what does more look like?
A More Secure Organization
More starts with understanding there is always a cybersecurity risk and ultimately ends with an established culture across all levels of the organization committed to collectively mitigating that risk. Let's run through a few approaches that can help establish that culture and, thus, a more secure organization.
It starts at the top: Building a culture from the top down is not a new concept, but its relevance to cybersecurity within organizations is gaining the traction it deserves. At a base level, in order to simply have the technical applications and experienced personnel in place to adequately protect an organization, you need the individuals with the purse strings to be onboard. The sell likely has become easier over the past several years as incidents are in the news, the visibility grows, and those in the C-suite see similarly situated organizations fall victim to cyberattacks. At the end of the day, the message needs to be loud and clear from an organization's leadership that: a) we understand and appreciate the evolving cybersecurity risk to our company; and b) we are willing to invest in the security of our environment (both from technical and non-technical standpoints) to protect our business.
Demonstrate that cybersecurity matters: It might seem like we're asking a lot of an organization's leadership when it comes to creating a culture of cybersecurity, and that might be true. But building a culture of any kind within an organization begins with leadership embracing an idea and then continuing to acknowledge and engage on the topic. In this context, it means making cybersecurity part of the lexicon of an organization and finding the right opportunities to continuously demonstrate its importance to the company. How an organization decides to do this might depend on how it communicates with its workforce generally on other important topics, but some simple options include: 1) Regularly re-engaging on the topics of cybersecurity via an email newsletter from the chief information security officer (CISO) — highlighting not just what the company is doing on the technical side, but what challenges all organizations are facing related to evolving threats (e.g., AI) and the CISO's take on how every employee can help; and 2) Discussing cybersecurity on CEO- or COO-led companywide calls and emphasizing the importance of a strong cybersecurity culture to the longevity and success of the business. The more leadership discusses the importance of a culture of cybersecurity, the more employees will acknowledge that risk and ultimately accept a level of responsibility for the organization's cybersecurity safety.
Educate (and then test and test again): Ben Franklin once said, "An investment in knowledge pays the best interest," and when the average cost of an incident globally is in excess of $4 million, that certainly rings true when it comes to cybersecurity. There can be no doubt, the investment in educating and building an employee base knowledgeable about cybersecurity has real economic value to an organization. This training allows employees to act as the last line of defense against a range of cyber threats, but perhaps equally as important, it empowers every employee to be a cybersecurity advocate for the organization, reminding their colleagues the importance of vigilance in support of a culture of cybersecurity. So how do you educate your employees? It starts with implementing a robust cybersecurity training program (hopefully something both educational and fun) and it continues by keeping your employees on their toes — using test phishing emails (and even text messages). The training and testing are then followed up with subsequent "re-training," if needed, to keep cybersecurity top of mind. Organizations can then share the outcomes of these test phishing emails with all employees (on standing calls or in their CISO newsletter) to take advantage of another key opportunity to speak to and re-enforce the importance of cybersecurity with real data and then share ways to help everyone do better.
At the end of the day, building a culture of cybersecurity is achievable by acknowledging its importance and consistently reinforcing that message. The goal is to have people thinking and talking about cybersecurity as part of their normal course of business and not simply in the context of "another training" or as something completely divorced from their role. When you find your teams are having a conversation about the latest phishing test email (for a free Thanksgiving turkey) or a recent cyber event impacting a competitor, you are witnessing the true reflection of a successful culture of cybersecurity. You should take a moment to applaud your team's success, and then, of course, plan for how to keep it going.
About the Author
You May Also Like