Over the years, it has become self-evident that various stakeholders have a set number of expectations from successful businesses. Customers expect top-notch products/services, and full protection of their sensitive data. Employees demand a solid business foundation, laid on strong leadership abilities, particularly during testing times.
Regulatory bodies want your operations to comply with national or international data regulation standards. And last, but not least, investors want a decent Return on Investment (ROI), and the continuation of business operations.
Sometimes, the burden to meet these expectations makes businesses lose clear sight of their organizational culture and true identity. Cybersecurity, adopted as a culture, can help businesses fulfill the expectations of all their stakeholders. But first, it is important that enterprises must convey the sheer importance of cybersecurity culture, as a shared responsibility, to all their stakeholders.
Aanchal Gupta, an expert in Corporate Cyber Security, said that a solid cybersecurity culture is vital for both the enterprise and its customers. In today’s context, this is a very balanced approach, both from a business as well as a cyber security perspective.
The Sheer Importance of Cybersecurity Culture
According to a principal analyst at Forrester Research, Jinan Budge, cybersecurity culture involves a workplace where the entire workforce realizes the value of cybersecurity and is motivated to be a part of the process to improve their enterprise’s cybersecurity posture.
Candy Alexander, who is President of the Information Systems Security Association (ISSA) and Chief Information Security Officer (CISO) at NeuEon Inc, said that emerging cyber security challenges demand enterprises to re-evaluate their cyber security policies. She further stated that businesses must identify and articulate the latest risks and re-align their organization-wide culture and mindset in such a way that they are well-prepared for evolving security threats.
This also prepares enterprises against any possible risks that might harm their IT operations, and help them develop a plan to effectively respond to these risks. Alexander added that this awareness helps businesses in a lot of ways, as enterprises will now devise a strong line of defense against any cybersecurity threats or unauthorized data infiltrations.
Cybersecurity Culture and Some Challenges
The inculcation of a “well-knit” cybersecurity culture is a dream for many organizations, but it does come with its fair share of challenges too. In this section, we have listed a few of those bottlenecks, laid out by Jinan Budge from Forrester.
- People usually have a negative connotation attached to the word security, and they take a back step when enterprises talk about the “brand of security”. There is a need to change people’s attitudes toward the “bad rap” around cybersecurity.
- Another major problem is that security teams often indulge in internal fighting and office politics, which creates a “toxic” environment. Budge added that all this adds up to impede the process of developing a strong cybersecurity culture across the organization.
- Often, enterprises struggle to find a good leader in the form of a transformational Chief Information Security Officer (CISO), who makes it a top priority to develop a resilient culture of cybersecurity.
Best Practices for Creating a Cybersecurity Culture
Enterprises that succeed in adopting a robust cybersecurity culture use an empathetic and people-centric approach to tactfully articulate their goals and develop strategies to fulfill them.
They make the process personalized, and work towards the alignment of their broad corporate culture with their security culture. Jinan Budge is of the opinion that people need to feel an emotional connection with cybersecurity, rather than viewing it as a boring task.
If you want to develop a strong cybersecurity culture for your enterprise, the following five practices can help you a great deal in achieving your goals.
1. Involve the C-suite and Make it a Relatable Process
Alexander, from ISSA International, said that security leaders and key visionaries must work together with the enterprise’s top executives to successfully implement an organization-wide cybersecurity culture.
Key decision-makers must ensure that there is an alignment between business strategy and any associated risks. These risks must be communicated to the enterprise’s C-suite in relatable terms, so they can have a clear understanding of the entire situation. Only then, they will be able to offer their full support for this process.
2. Adopt an Empathetic Approach
It is important that security leaders take a human-centric approach to adopt a company-wide culture of security. They should understand the behaviors and difficulties of their stakeholders, and adopt an empathetic approach to implementing changes.
3. Make the Process Rewarding
In Gupta’s opinion, the development of a strong cybersecurity culture should be a “team sport”. Enterprises should have a “growth mindset”, where they value trying new things and everyone should be open to learning new ideas. For instance, enterprises can use role-playing activities, and even simulation games to train their employees about cybersecurity. Such initiatives will enhance the attention span of employees toward cyber security, in a fun and interactive way.
Another example is that enterprises can introduce bounty programs and reward any employee who detects simulated phishing emails. Tim Helming, who works as a security evangelist at DomainTools, suggested that enterprises can extend their bounty program to reward employees that detect actual phishing campaigns as well. He further added that employees’ well-executed education and training are of the utmost importance.
Employees should also be encouraged to voice their concerns if they witness something unusual. However, it is important to note that any such training and practices must not develop any sort of fear and or blame game among employees.
4. Invest Wisely
Helming advised enterprises to invest in such security tools that can help them augment the “human aspect” of their cybersecurity culture. For instance, the detection capabilities of enterprise staff members can be further improved by making well-thought-out investments in Security Information and Event Management (SIEM) solutions.
In the wake of evolving digital technologies and increasing cyber-attacks, the significance of recruiting and retaining diverse human resources cannot be emphasized enough.
5. Develop a CISO Succession Plan
The CISO at Rent-A-Center, Jason Fruge, gave his opinion that having a successful CISO succession plan in place is extremely important. He said that this will help enterprises ensure that the next CISO will be able to carry forward the vision and continue to inculcate the ongoing culture of cybersecurity. Otherwise, enterprises will go “back to square one”, and they would never be able to reach their desired destination.
In the face of the latest cybersecurity challenges, it is absolutely vital for businesses to instill a resilient cybersecurity culture, across the organization. Key security personnel should monitor the security-related behaviors and awareness level of their employees, and alter their overall security policies accordingly.
This will go a long way in changing the threat landscape. It is absolutely vital because the alternative is looking less attractive by the hour – applying no changes, and watching your business crumble to serious disruption by cyber-attacks. This is why a strong cybersecurity culture is an important asset in any enterprise’s security toolbox.