Building a culture of cyber awareness is a team effort
The Occupational Safety and Health Administration (OSHA.gov) helps ensure that all employees work in a safe and healthy working environment by sharing in the responsibility for reporting unsafe or hazardous conditions. Given the potential damages from cyber-attacks, it’s curious that organizational cybersecurity has not been enforced in a similar way. In today’s threat landscape, it’s no longer enough to simply participate in cybersecurity awareness training – it’s critical for every employee to actively do their part to ensure data security.
Consider this example: when acquiring equipment and/or services that will be connected to the company ecosystem, the systems will have access to company data and infrastructure. The systems could become the foothold for an adversary to gain unauthorized access to your company’s core infrastructure and sensitive data. This is why every involved employee must be aware of the threats, risks, and tradeoffs that come from integrating them within the current ecosystem.
Cultivating this level of cyber awareness starts at the top. The board of directors, C-suite and top level management must be equally accountable for providing guidance that cybersecurity and cyber resiliency are critical to the viability of the organization. The C-suite must understand how cyber threats would affect the organization and recommend preventative actions to the board. If the board doesn’t have the knowledge or expertise to understand the ramifications of modern cyber threats, they are blind to some of the biggest risks facing the business. To successfully demonstrate cyber risk to the organization as a whole, an executive team must be able to model scenarios that go beyond the traditional disaster recovery example. They need to demonstrate the consequences of a breach in terms of dollars, downtime, recovery efforts, and reputational damage for each type of cyber incident for every member of their team.
Create a culture of action and change
Three forces have necessitated a change in cybersecurity culture:
- Cyber threats are constantly evolving
- The regulatory landscape is changing
- Increased severity of legal consequences
Evolving threats, regulatory compliance and consequences
Passive cybersecurity tools and posture are not going to be sufficient against tomorrow’s hacker or insider threat. Regulations are changing, which necessitates that systems include active cybersecurity protections. Proactively adopting technologies with advanced cyber capabilities during a normal buying cycle may eliminate the reactionary need for ripping and replacing systems while adding costly security tools to meet compliance deadlines out of cycle.
Many organizations have been self-attesting that they meet the spirit of the regulations and reasonable care for sensitive data; but after allegations, investigations or incidents they may be liable for fines as well as face prosecution as the defendant in a lawsuit.
Start at the top
A culture of change requires executive sponsorship. As organizations shift to more cyber aware and cyber secure states, decisions must made about anything that affects the cyber posture and hygiene of the organization should get visibility at the top level. Top-level management must have visibility into the tradeoffs and decisions being made by lower-level technical decision makers, influencers and implementors until there is confidence that the team can demonstrate an understanding of the threats and consequences of those decisions to the business and key stakeholders.
There will be times that the lower levels will never be able to comprehend the impact or breadth of the decision because they won’t be privy to all of the factors driving data security. Imagine a company has confidential plans to sell or acquire a business. The executive management and board will want to ensure protections are in place to defend information that could impact that transaction without exposing those interests to even a mid-level manager. So, it is important that potentially impactful decisions are made with the full knowledge and consent of executive leadership.