As the saying goes, everything starts at the top. This is true for most organizational issues, and it is undoubtedly true of cybersecurity culture. Cyberattack sophistication, impact on breached companies, and prioritization for managing cybersecurity has evolved rapidly over a pretty short period.
Cyberattack Responsibility—From IT Cubicles to Corner Offices
Early in the digital age, cybersecurity was solely the domain of technology team members—far from the minds of those sitting in corner offices or boardrooms. Attackers were often unorganized hackers who seemed to like to cause havoc for reasons that were indiscernible to most. However, cybercriminals were cutting their teeth, and the seemingly pointless disruptions and damage were a training ground for learning how to execute today’s high-value breaches.
Cybersecurity Culture Among Executive Leadership Has a Long Way to Go
Many executive leaders recognize cybercrime as a concerning risk on the list of concerns with many other business risks. However, for too many companies, the issue is not part of overall corporate strategy, and cybersecurity is not included as a critical, consideration as various initiative decisions are made.
EY’s most recent Global Information Security Survey revealed that 50 percent of surveyed organizations faced an increased number of disruptive attacks within the past twelve months. However, despite the rising risks, only 36 percent of new, technology-enabled business initiatives included the security team from the beginning.
There is executive involvement in a growing number of organizations—a recent ISACA and CMMI Cybersecurity Culture Report revealed that 75 percent of organizations are getting management more involved with cybersecurity culture. However, within many organizations, executive-level involvement is minimal even if engagement is growing.
4 Moves Forward-Thinking Corporate Executives Must Make to Advance Cybersecurity Culture
1. Create a security-by-design culture. For too long, cybersecurity has mainly been a compliance activity using a checklist approach rather than building security into every technology-enabled business initiative. Cybercriminals will not let up and will only improve their craft. To be proactive rather than reactive, executives must foster a security-by-design culture that bridges the security function and the C-suite. The chief information security officer(CISO) must serve the executive team as a consultant and strategist.
2. Communicate the cybersecurity strategy. Every business faces unique risks and compliance demands. There is no one-size-fits-all approach. However, executives should consider primary strategic concerns such as business continuity, brand protection, compliance, and bottom-line growth. The company’s culture, portfolio, and target markets must inform decision-making. For example, given the confidential, life-and-death nature of a hospital’s business, business continuity and patient privacy should be deciding factors. In contrast, for a Fintech company serving small and mid-sized banks, cybersecurity expertise could be a competitive advantage used to support growth objectives. How cybersecurity fits within corporate strategy and culture must be clear so that it can protect every part of the business.
3. Position the cybersecurity function strategically. By default, many organizations position cybersecurity under the CIO. Placing cybersecurity and other technology investments under the same budget might not be the best strategy. In most organizations, IT spending prioritizes product development. While understandable, this can lead to underinvestment in cybersecurity.
4. Emphasize cybersecurity in merger and acquisition (M&A) due diligence. M&A due diligence usually prioritizes finance, operations, human resources, sales, and IT, while cybersecurity due diligence is often ignored. However, executives increasingly realize that once two organizations are connected and their systems integrated, security vulnerabilities in one will quickly infect the other. Cybersecurity needs to have a prominent seat at the table during M&A due diligence and integration planning.
With the proper vision, steps, and planning a strong cybersecurity culture can be envisioned, crafted, and communicated within your organization. If SilverSky’s Professional Services team can help you as you undertake this journey, don’t hesitate to contact us.