The Need for a Cybersecurity-Centric Business Culture

It starts at the top: Building a culture from the top down is not a new concept, but its relevance to cybersecurity within organizations is gaining the traction it deserves. At a base level, in order to simply have the technical applications and experienced personnel in place to adequately protect an organization, you need the individuals with the purse strings to be onboard. The sell likely has become easier over the past several years as incidents are in the news, the visibility grows, and those in the C-suite see similarly situated organizations fall victim to cyberattacks. At the end of the day, the message needs to be loud and clear from an organization's leadership that: a) we understand and appreciate the evolving cybersecurity risk to our company; and b) we are willing to invest in the security of our environment (both from technical and non-technical standpoints) to protect our business.

Demonstrate that cybersecurity matters: It might seem like we're asking a lot of an organization's leadership when it comes to creating a culture of cybersecurity, and that might be true. But building a culture of any kind within an organization begins with leadership embracing an idea and then continuing to acknowledge and engage on the topic. In this context, it means making cybersecurity part of the lexicon of an organization and finding the right opportunities to continuously demonstrate its importance to the company. How an organization decides to do this might depend on how it communicates with its workforce generally on other important topics, but some simple options include: 1) Regularly re-engaging on the topics of cybersecurity via an email newsletter from the chief information security officer (CISO) — highlighting not just what the company is doing on the technical side, but what challenges all organizations are facing related to evolving threats (e.g., AI) and the CISO's take on how every employee can help; and 2) Discussing cybersecurity on CEO- or COO-led companywide calls and emphasizing the importance of a strong cybersecurity culture to the longevity and success of the business. The more leadership discusses the importance of a culture of cybersecurity, the more employees will acknowledge that risk and ultimately accept a level of responsibility for the organization's cybersecurity safety.

Educate (and then test and test again): Ben Franklin once said, "An investment in knowledge pays the best interest," and when the average cost of an incident globally is in excess of $4 million, that certainly rings true when it comes to cybersecurity. There can be no doubt, the investment in educating and building an employee base knowledgeable about cybersecurity has real economic value to an organization. This training allows employees to act as the last line of defense against a range of cyber threats, but perhaps equally as important, it empowers every employee to be a cybersecurity advocate for the organization, reminding their colleagues the importance of vigilance in support of a culture of cybersecurity. So how do you educate your employees? It starts with implementing a robust cybersecurity training program (hopefully something both educational and fun) and it continues by keeping your employees on their toes — using test phishing emails (and even text messages). The training and testing are then followed up with subsequent "re-training," if needed, to keep cybersecurity top of mind. Organizations can then share the outcomes of these test phishing emails with all employees (on standing calls or in their CISO newsletter) to take advantage of another key opportunity to speak to and re-enforce the importance of cybersecurity with real data and then share ways to help everyone do better.