Transforming Cybersecurity Culture from Corner Offices to Cubicles

The SMB Guide to the cybersecurity renaissance—how evolving

executive leadership creates the culture to secure organizations.

2

Few business leaders today would deny the importance of

cybersecurity. The question is, how important is it? What

percentage of organizational resources—time, money, and

attention—should be allocated to cybersecurity? For skilled

executives thinking about operating their companies in a modern

and clear-eyed manner, the answers to these questions will and

should vary from organization to organization.

As the culture of cybersecurity matures, executives are increasingly

thinking about cybersecurity management in a similar manner

as they would any other business risks —what is my exposure?

How badly could the business or stakeholders be damaged if a

cybersecurity breach were to occur?

The answers to these questions, of course, depend on the

organization in question. Does your company manage a large

volume of information-rich customer data? Does your company

possess highly valuable proprietary data like research results or

product “secret sauce” information? Does your company operate

under demanding and punishing regulatory constructs? Is your

company a third-party vendor to high-value industries making your

organization a plausible gateway to even richer rewards? What

would be the price of business disruption if your organization or parts

were interrupted?

At the heart of the questions to answer and the decisions to make

is the dominant cybersecurity culture driving how cybersecurity

is prioritized among executive leadership and all teams within the

organization.

By exploring and strengthening each of these areas, organizations

will develop the tools and mindsets needed for ever-strengthening

cybersecurity.

At the heart of the questions to answer and the decisions to make is the

dominant cybersecurity culture driving how cybersecurity is prioritized

among executive leadership and all teams within the organization.

3

Cybersecurity Prioritization Among Executive Leadership As the saying goes, everything starts at the top. This is true for most

organizational issues, and it is undoubtedly true of cybersecurity

culture. Cyberattack sophistication, impact on breached

companies, and prioritization for managing

cybersecurity has evolved rapidly over

a pretty short period.

Cyberattack Responsibility—From IT Cubicles to Corner OfficesEarly in the digital age, cybersecurity was solely the domain

of technology team members—far from the minds of those

sitting in corner offices or boardrooms. Attackers were often

unorganized hackers who seemed to like to cause havoc

for reasons that were indiscernible to most. However,

cybercriminals were cutting their teeth, and the seemingly

pointless disruptions and damage were a training ground

for learning how to execute today’s high-value breaches.

Cybersecurity Culture Among Executive Leadership Has a Long Way to GoMany executive leaders recognize cybercrime as a concerning risk on the list

of concerns with many other business risks. However, for too many companies,

the issue is not part of overall corporate strategy, and cybersecurity is not

included as a critical, consideration as various initiative decisions are made.

EY’s most recent Global Information Security Survey1

revealed that 50 percent of surveyed organizations faced

an increased number of disruptive attacks within the past

twelve months. However, despite the rising risks, only 36

percent of new, technology-enabled business initiatives

included the security team from the beginning.

There is executive involvement in a growing number of organizations—a

recent ISACA and CMMI Cybersecurity Culture Report revealed that 75

percent of organizations are getting management more involved with

cybersecurity culture.2 However, within many organizations, executive-level

involvement is minimal even if engagement is growing.

4

4 Moves Forward-Thinking Corporate Executives Must Make to Advance Cybersecurity Culture

Create a security-by-design culture.

For too long, cybersecurity has mainly been a compliance activity using a checklist approach rather than building

security into every technology-enabled business initiative. Cybercriminals will not let up and will only improve their craft.

To be proactive rather than reactive, executives must foster a security-by-design culture that bridges the security function

and the C-suite. The chief information security officer (CISO) must serve the executive team as a consultant and strategist.

Communicate the cybersecurity strategy.

Every business faces unique risks and compliance demands. There is no one-size-fits-all approach. However, executives should

consider primary strategic concerns such as business continuity, brand protection, compliance, and bottom-line growth.

The company’s culture, portfolio, and target markets must inform decision-making. For example, given the confidential, life-and-death

nature of a hospital’s business, business continuity and patient privacy should be deciding factors. In contrast, for a Fintech company

serving small and mid-sized banks, cybersecurity expertise could be a competitive advantage used to support growth objectives.

How cybersecurity fits within corporate strategy and culture must be clear so that it can protect every part of the business.

Position the cybersecurity function strategically.

By default, many organizations position cybersecurity under the CIO. Placing cybersecurity and other technology investments under the

same budget might not be the best strategy. In most organizations, IT spending prioritizes product development. While understandable,

this can lead to underinvestment in cybersecurity.

Emphasize cybersecurity in merger and acquisition (M&A) due diligence.

M&A due diligence usually prioritizes finance, operations, human resources, sales, and IT, while cybersecurity due diligence is often

ignored. However, executives increasingly realize that once two organizations are connected and their systems integrated, security

vulnerabilities in one will quickly infect the other. Cybersecurity needs to have a prominent seat at the table during M&A due diligence

and integration planning.

1

2

3

4

5

Transforming Cybersecurity Culture From Top to Bottom

Once the executive team, in collaboration with the CISO and other

cybersecurity experts, has developed a clear cybersecurity position,

cybersecurity culture must permeate every part of the company.

In short, an organization’s cybersecurity culture defines the proper

way to behave within the organization as team members use digital

equipment and assets to conduct their work. Ultimately, a cybersecu-

rity culture consists of the shared beliefs, values, and strategies estab-

lished by executive leaders for protecting company data and digital

assets. These areas must be communicated and reinforced through

various methods, ultimately shaping employee perception, behavior,

and understanding concerning the firm’s cybersecurity position.

A cybersecurity culture must facilitate the entire company’s under-

standing of the benefits of being a more secure organization—benefits

like better serving customers, increasing profitability, strengthening the

company’s reputation—and the negative consequences of unsecured

data. All employees must understand their role, be open to ongoing

learning, and be enthusiastic about celebrating success.

Indicative of the progress many companies need to make in this

area, the above-mentioned ISACA and CMMI Cybersecurity Culture

Report2 revealed that 60 percent of companies don’t have widespread

employee buy-in, 42 percent of organizations don’t have an IT culture

plan, and 55 percent think the CISO owns the company’s cybersecurity

position.

60 percent of companies don’t have

widespread employee buy-in

42 percent of organizations don’t have

an IT culture plan

55 percent think the CISO owns the

company’s cybersecurity position

60% 42% 55%

Source: The 2018 Cybersecurity Culture Report, ISACA and CMMI Institute

6

Sharing the Bigger Picture

Share where cybersecurity fits into overall corporate strategies and goals. Explain the roles each functional team and individual team member need to play, based on the position and strategic decisions

the executive leadership makes.

Providing Regular Training and Education to Increase Team Member Confidence

Cybersecurity professionals understand that technology users are the most significant risk to cybersecurity. Criminals have become increasingly proficient at researching and targeting their victims and will capitalize on any mistake employees make. However, regular training and exercises, like phishing simulations, can be helpful. Also, sharing information on the latest attack strategies and providing

education that includes examples work well.

Removing Fear

Many employees are afraid to inconvenience the IT or cybersecurity team with something they think might be silly. Adamantly encourage all employees to share anything that looks suspicious with IT and try to offer as much feedback as possible to increase their knowledge about potential cyberattacks. Furthermore, suppose an employee

reports something that might seem a little silly to individuals with more cybersecurity knowledge. In that case, it is critical that IT

personnel do not make employees feel silly and that

they are thanked for their cooperation.

Encouraging Two-Way Listening

Open communications between the IT department and technology users is vital as many vulnerabilities are created by technology teams inadvertently creating too much process friction in their pursuit of stronger security. If completing work becomes too hard, employees will create workarounds—like shadow databases and financial reports—to enhance their productivity and make their lives easier. In many cases, there will need to be compromises between security and productivity to develop solutions that align with the company’s cybersecurity

culture.

Engaging Employees, Don’t Lecture Them

Cybersecurity policies and procedures must be updated regularly. But these updates need to be compiled, so they are easy to understand. They should be as concise and interesting as possible and not disseminated so frequently that recipients become increasingly

tempted to tune out.

Celebrating Individual Successes

Highlight examples of successful employee efforts, no matter how small. This will make the employee who took action feel valued and will

reinforce the idea that all employees have an important role to play.

Celebrating Organizational Success

If the organization meets specific cybersecurity performance metrics, celebrate. If there is a breach, but it was handled well, and the damage

was minimized, celebrate that as well.

Organizations can strengthen their cybersecurity culture by:

7

Conclusion

Cybersecurity can no longer be a bolt-on activity—an afterthought to check the boxes of

regulatory requirements. Because cybercriminals will only become better at what they do, a

security-by-design culture must be at the forefront of all new initiatives that impact or leverage

digital connectivity. This is a meaningful shift in approach for most companies that must start at the

very top of the organization—the C-suite.

Additionally, secure operational practices must permeate day-to-day activities with the company.

For top-to-bottom cybersecurity culture to take hold, all team members must understand what

is needed from them, engage with the broader cybersecurity philosophy, receive regular training,

and feel that cybersecurity team members are open to listening to them.

While adjusting the culture and behavior of an organization from top to bottom is not a simple

task; this is the work of the cybersecurity renaissance that is transforming every organization.

www.silversky.com

Contact Details: US: 1-800-234-2175 | E: learn@silversky.comSilverSky, 4813 Emperor Boulevard, Suite 200Durham, North Carolina 27703linkedin.com/company/silversky | twitter.com/SilverSky

Copyright © BAE Systems plc 2019. All rights reserved. BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc. BAE Systems Applied Intelligence Limited registered in England & W ales (No.1337451) with its registered office at Surrey Research Park, Guildford, England, GU2 7RQ. No part of this document maybe copied, reproduced, adapted or redistributed in any form or by any means without the express prior written consent of BAE Systems Applied Intelligence.

Resources:1. How does security evolve from bolted on to built-in?, Kris Lovejoy, EY, February 18, 20202. The 2018 Cybersecurity Culture Report, ISACA and CMMI Institute