Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Transforming Cybersecurity Culture from Corner Offices to Cubicles
The SMB Guide to the cybersecurity renaissance—how evolving
executive leadership creates the culture to secure organizations.
2
Few business leaders today would deny the importance of
cybersecurity. The question is, how important is it? What
percentage of organizational resources—time, money, and
attention—should be allocated to cybersecurity? For skilled
executives thinking about operating their companies in a modern
and clear-eyed manner, the answers to these questions will and
should vary from organization to organization.
As the culture of cybersecurity matures, executives are increasingly
thinking about cybersecurity management in a similar manner
as they would any other business risks —what is my exposure?
How badly could the business or stakeholders be damaged if a
cybersecurity breach were to occur?
The answers to these questions, of course, depend on the
organization in question. Does your company manage a large
volume of information-rich customer data? Does your company
possess highly valuable proprietary data like research results or
product “secret sauce” information? Does your company operate
under demanding and punishing regulatory constructs? Is your
company a third-party vendor to high-value industries making your
organization a plausible gateway to even richer rewards? What
would be the price of business disruption if your organization or parts
were interrupted?
At the heart of the questions to answer and the decisions to make
is the dominant cybersecurity culture driving how cybersecurity
is prioritized among executive leadership and all teams within the
organization.
By exploring and strengthening each of these areas, organizations
will develop the tools and mindsets needed for ever-strengthening
cybersecurity.
At the heart of the questions to answer and the decisions to make is the
dominant cybersecurity culture driving how cybersecurity is prioritized
among executive leadership and all teams within the organization.
3
Cybersecurity Prioritization Among Executive Leadership As the saying goes, everything starts at the top. This is true for most
organizational issues, and it is undoubtedly true of cybersecurity
culture. Cyberattack sophistication, impact on breached
companies, and prioritization for managing
cybersecurity has evolved rapidly over
a pretty short period.
Cyberattack Responsibility—From IT Cubicles to Corner OfficesEarly in the digital age, cybersecurity was solely the domain
of technology team members—far from the minds of those
sitting in corner offices or boardrooms. Attackers were often
unorganized hackers who seemed to like to cause havoc
for reasons that were indiscernible to most. However,
cybercriminals were cutting their teeth, and the seemingly
pointless disruptions and damage were a training ground
for learning how to execute today’s high-value breaches.
Cybersecurity Culture Among Executive Leadership Has a Long Way to GoMany executive leaders recognize cybercrime as a concerning risk on the list
of concerns with many other business risks. However, for too many companies,
the issue is not part of overall corporate strategy, and cybersecurity is not
included as a critical, consideration as various initiative decisions are made.
EY’s most recent Global Information Security Survey1
revealed that 50 percent of surveyed organizations faced
an increased number of disruptive attacks within the past
twelve months. However, despite the rising risks, only 36
percent of new, technology-enabled business initiatives
included the security team from the beginning.
There is executive involvement in a growing number of organizations—a
recent ISACA and CMMI Cybersecurity Culture Report revealed that 75
percent of organizations are getting management more involved with
cybersecurity culture.2 However, within many organizations, executive-level
involvement is minimal even if engagement is growing.
4
4 Moves Forward-Thinking Corporate Executives Must Make to Advance Cybersecurity Culture
Create a security-by-design culture.
For too long, cybersecurity has mainly been a compliance activity using a checklist approach rather than building
security into every technology-enabled business initiative. Cybercriminals will not let up and will only improve their craft.
To be proactive rather than reactive, executives must foster a security-by-design culture that bridges the security function
and the C-suite. The chief information security officer (CISO) must serve the executive team as a consultant and strategist.
Communicate the cybersecurity strategy.
Every business faces unique risks and compliance demands. There is no one-size-fits-all approach. However, executives should
consider primary strategic concerns such as business continuity, brand protection, compliance, and bottom-line growth.
The company’s culture, portfolio, and target markets must inform decision-making. For example, given the confidential, life-and-death
nature of a hospital’s business, business continuity and patient privacy should be deciding factors. In contrast, for a Fintech company
serving small and mid-sized banks, cybersecurity expertise could be a competitive advantage used to support growth objectives.
How cybersecurity fits within corporate strategy and culture must be clear so that it can protect every part of the business.
Position the cybersecurity function strategically.
By default, many organizations position cybersecurity under the CIO. Placing cybersecurity and other technology investments under the
same budget might not be the best strategy. In most organizations, IT spending prioritizes product development. While understandable,
this can lead to underinvestment in cybersecurity.
Emphasize cybersecurity in merger and acquisition (M&A) due diligence.
M&A due diligence usually prioritizes finance, operations, human resources, sales, and IT, while cybersecurity due diligence is often
ignored. However, executives increasingly realize that once two organizations are connected and their systems integrated, security
vulnerabilities in one will quickly infect the other. Cybersecurity needs to have a prominent seat at the table during M&A due diligence
and integration planning.
1
2
3
4
5
Transforming Cybersecurity Culture From Top to Bottom
Once the executive team, in collaboration with the CISO and other
cybersecurity experts, has developed a clear cybersecurity position,
cybersecurity culture must permeate every part of the company.
In short, an organization’s cybersecurity culture defines the proper
way to behave within the organization as team members use digital
equipment and assets to conduct their work. Ultimately, a cybersecu-
rity culture consists of the shared beliefs, values, and strategies estab-
lished by executive leaders for protecting company data and digital
assets. These areas must be communicated and reinforced through
various methods, ultimately shaping employee perception, behavior,
and understanding concerning the firm’s cybersecurity position.
A cybersecurity culture must facilitate the entire company’s under-
standing of the benefits of being a more secure organization—benefits
like better serving customers, increasing profitability, strengthening the
company’s reputation—and the negative consequences of unsecured
data. All employees must understand their role, be open to ongoing
learning, and be enthusiastic about celebrating success.
Indicative of the progress many companies need to make in this
area, the above-mentioned ISACA and CMMI Cybersecurity Culture
Report2 revealed that 60 percent of companies don’t have widespread
employee buy-in, 42 percent of organizations don’t have an IT culture
plan, and 55 percent think the CISO owns the company’s cybersecurity
position.
60 percent of companies don’t have
widespread employee buy-in
42 percent of organizations don’t have
an IT culture plan
55 percent think the CISO owns the
company’s cybersecurity position
60% 42% 55%
Source: The 2018 Cybersecurity Culture Report, ISACA and CMMI Institute
6
Sharing the Bigger Picture
Share where cybersecurity fits into overall corporate strategies and goals. Explain the roles each functional team and individual team member need to play, based on the position and strategic decisions
the executive leadership makes.
Providing Regular Training and Education to Increase Team Member Confidence
Cybersecurity professionals understand that technology users are the most significant risk to cybersecurity. Criminals have become increasingly proficient at researching and targeting their victims and will capitalize on any mistake employees make. However, regular training and exercises, like phishing simulations, can be helpful. Also, sharing information on the latest attack strategies and providing
education that includes examples work well.
Removing Fear
Many employees are afraid to inconvenience the IT or cybersecurity team with something they think might be silly. Adamantly encourage all employees to share anything that looks suspicious with IT and try to offer as much feedback as possible to increase their knowledge about potential cyberattacks. Furthermore, suppose an employee
reports something that might seem a little silly to individuals with more cybersecurity knowledge. In that case, it is critical that IT
personnel do not make employees feel silly and that
they are thanked for their cooperation.
Encouraging Two-Way Listening
Open communications between the IT department and technology users is vital as many vulnerabilities are created by technology teams inadvertently creating too much process friction in their pursuit of stronger security. If completing work becomes too hard, employees will create workarounds—like shadow databases and financial reports—to enhance their productivity and make their lives easier. In many cases, there will need to be compromises between security and productivity to develop solutions that align with the company’s cybersecurity
culture.
Engaging Employees, Don’t Lecture Them
Cybersecurity policies and procedures must be updated regularly. But these updates need to be compiled, so they are easy to understand. They should be as concise and interesting as possible and not disseminated so frequently that recipients become increasingly
tempted to tune out.
Celebrating Individual Successes
Highlight examples of successful employee efforts, no matter how small. This will make the employee who took action feel valued and will
reinforce the idea that all employees have an important role to play.
Celebrating Organizational Success
If the organization meets specific cybersecurity performance metrics, celebrate. If there is a breach, but it was handled well, and the damage
was minimized, celebrate that as well.
Organizations can strengthen their cybersecurity culture by:
7
Conclusion
Cybersecurity can no longer be a bolt-on activity—an afterthought to check the boxes of
regulatory requirements. Because cybercriminals will only become better at what they do, a
security-by-design culture must be at the forefront of all new initiatives that impact or leverage
digital connectivity. This is a meaningful shift in approach for most companies that must start at the
very top of the organization—the C-suite.
Additionally, secure operational practices must permeate day-to-day activities with the company.
For top-to-bottom cybersecurity culture to take hold, all team members must understand what
is needed from them, engage with the broader cybersecurity philosophy, receive regular training,
and feel that cybersecurity team members are open to listening to them.
While adjusting the culture and behavior of an organization from top to bottom is not a simple
task; this is the work of the cybersecurity renaissance that is transforming every organization.
www.silversky.com
Contact Details: US: 1-800-234-2175 | E: [email protected], 4813 Emperor Boulevard, Suite 200Durham, North Carolina 27703linkedin.com/company/silversky | twitter.com/SilverSky
Copyright © BAE Systems plc 2019. All rights reserved. BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc. BAE Systems Applied Intelligence Limited registered in England & W ales (No.1337451) with its registered office at Surrey Research Park, Guildford, England, GU2 7RQ. No part of this document maybe copied, reproduced, adapted or redistributed in any form or by any means without the express prior written consent of BAE Systems Applied Intelligence.
Resources:1. How does security evolve from bolted on to built-in?, Kris Lovejoy, EY, February 18, 20202. The 2018 Cybersecurity Culture Report, ISACA and CMMI Institute