In this age of highly sophisticated and evolving cyber threats, building a solid cybersecurity culture into your organization is crucial. The United States has the highest costing data breach globally, with each attack costing an average $9.48 million. More often than not, only the IT department is expected to cover an organization’s security. This may not necessarily be a sustainable direction in the coming years.
CISOs often have a hard time getting their plans signed or their budgets allotted. Carlos Morales – SVP of solutions at Neustar Security Services – says, “Macroeconomic issues are driving down spending across all sectors, and the way a lot of leaders are handling it is by cutting across all programs without careful consideration for where they’re making their cuts.” An organization’s lack of awareness about the gravity of their security concerns can often make its leadership cling to the status quo, or even reduce expenditure on security investment.
We recently interviewed the stalwart thought leader and former CISO Jim Routh, who has worked with companies like MassMutual, Aetna and JP Morgan Chase. He pointed out the immense talent shortage in the cybersecurity industry. “We have had a talent shortage for more than 10 years. It’s not changing. The number of cyber security jobs is increasing somewhere between 15 and 18 percent per year. But if you look at the cyber security talent entering the marketplace, it’s only between two and four percent growth year over year.” Routh advice? Snatch cybersecurity talent as soon as they are on their radar, whether there are open positions or not.
Creating a security culture in your company will go a long way, beyond just awareness and support from your colleagues. A good cybersecurity culture can
Not being pro-cybersecure can have costly consequences for an organization. Negligence in handling customers’ personal information may cost your company in terms of not only resolving the data breach, but also in the form of lawsuits and fines. Plus, you might find it difficult to regain your brand image and the customers brand trust.
In 2014, Ebay lowered its sales projections by $200 million due to losing users after a data breach, simply because they didn’t use multi-factor authentication (MFA) which required users to verify a code sent to their phones each time they log in. Similarly in 2020 when organizations including the US federal government and corporates were penetrated by a major attack, multiple organizations took a revenue hit in the forms of stock value plummets and lowered sales.
Today’s reality is that even large, well-established companies slack in their security front. It is natural for an organization to wonder where to start.
There are very specific and specialized Acts for each business field that a company needs to follow to attain baseline security. For instance in the United States, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 puts forth the standards for how medical information is to be stored, accessed and shared. Find out what the law is for your business field in your country. Make sure your service satisfies each requirement. Running your service as per security standards is the first step in building a security culture in your organization.
With this in mind, how do you bring about a strong cyber security culture in your workplace?
Here’s a comprehensive list of strategies you could follow to build a consistent and responsible security outlook from your colleagues and team so that you will get their support when you need to strengthen your security approaches.
Including everyone in the conversation is the first step in creating a positive change culture. As long as the intricacies of your security concerns stay within your IT team’s meeting room, you cannot expect support from your higher-ups and colleagues.
Be it a coffee break or a casual chat during lunch, keep them in the loop about your day-to-day security activities in the IT department.
Here are some things you could chat about:
Not having a conversation will only distance them from your perspectives. This may not help when you pitch a new plan to your organization or make a budgetary request at a later time. In the long run, this will help you communicate the fact that cyber security is not something that’s negotiable.
The effort to introduce change is a struggle that every organization experiences, especially with cybersecurity. So when the change comes, you should snatch is right away.
Your approach to creating awareness about cyber security amidst your colleagues doesn’t have to be long, boring presentations where everyone is trying to hide their yawns.
Try these instead, or give them your own creative twist:
Learning alongside a bit of laughter and fun goes a long way.
When you don’t have a clear strategy, it makes it easier for the boardroom to shoot down your idea. The typical mindset is – if we don’t understand this, or we haven’t heard it before, it’s probably not necessary for our organization.
To combat this, brainstorm with your team and have a clear picture of your plan detailing the support and the incentives you will need. Be prepared to articulate and reinforce why your plan is absolutely necessary for the company’s betterment, and what the rewards would be for investing time and money into this cyber security cause.
For instance, let’s say you want your company to invest in a SOAR tool to deal with low-level threats so that your team can pay closer attention to bigger, more complex threats. Chart out how a strike to your biggest assets and resources can affect the company’s functioning. How will this impact your stakeholders’ trust in the company, and how can the desired technology assist you here? Will this lead to your company hiking the price of your products, and will that discourage your customers from buying your services?
When your plans do get approved, update the top management about the progress, setbacks and any major changes in your course of action. With a concrete security culture and trust in your IT team, your company will attest credibility to your ideas and support you.
While building a product or an application, SDL is a proactive way to ensure security is built into every step of the process of developing software. Security requirements, threat modeling, and security testing activities are performed to strengthen your systems as part of SDL. If you haven’t already, it’s best to invest in an SDL to enhance your company’s current cybersecurity model.
To counteract the ever-evolving threats, it’s neither useful nor sustainable to keep adding new technology under your umbrella without having the specific skillsets and knowledge to operate them. There is a good chance that you are wasting money on tools that aren’t being used to their full potential.
Managed Detection and Response services help organizations benefit from the guidance of cybersecurity experts, to help them across all things cybersecurity: a secure SOC, network architecture, making use of the right tools in the market, using existing tools to their best end, charting a security strategy with updated knowledge of threat trends and complexities. Small, medium and understaffed organizations are typically benefitted by MDR.
Looking for a Managed Detection and Response service for your business?
Whether you talk about it or not, every company has a cybersecurity culture since it’s very likely that you have already faced security threats. According to IBM’s Cost of a Data Breach Report 2022, 83% of the participating companies said the present attack they were facing wasn’t their first data breach.
There will always be practices that put safety front and center. Likewise, there will also be areas where you feel that security must be heightened. But you can’t build a cybersecurity culture overnight. Be consistent with your efforts to keep people informed and involved, and things will fall into place.
Always keep in mind that your approaches to transform your cyber security culture should always have the company’s changes and development in mind. Also, make sure your team always keeps an open mind for unforeseen changes in action or feedback because when your company fosters a sustainable cybersecurity culture, unexpected ideas will crop up from any direction.
Need help getting started with the right cyber culture for your organization? We’re a message away.
Reach out directly to the team or get help
from our community.
