How to foster a culture of security in uncertain times
However, by speeding up the deployment of digital technologies, this acceleration has the potential to dramatically expand the attack surface and subsequently, cyber risks. This is evidenced by the same report that found 70% of large business believe remote working makes them more vulnerable to cyber-attacks.
And yet, C-Suite executives should not think of security as a technical problem. It’s first and foremost, a business challenge, which has only been exacerbated during the COVID period. To help companies navigate through these uncertain times, here are some guidelines to foster a security-first culture within the business.
Tether security to business objectives
As C-suite stakeholders develop, change, and implement their overall business objectives, it’s important for CISOs and security leaders to be engaged in these conversations from the outset. Having immediate line-of-sight into the business objectives helps security leaders work within these business parameters to create a customised, scaleable, and highly secure system that can ultimately help the company reach its desired business outcomes.
Indeed, over time, we will increasingly see CFOs blending their roles to become more integrated with CISOs, facilitating the connection between security investments, and risks to the bottom line. Start this conversation by identifying the business benefits of security. For example, better security means the company doesn’t have to shut down operations because of a breach, which leads to less downtime and greater productivity.
Together, the entire C-suite should determine which cyber security measures best serve the company’s existing and future business outcomes, along with financial interests.
Think less in terms of ROI metrics
Business leaders looking to tie security to business outcomes need to think less about short-term ROI and start thinking about security as a long-term investment. It’s difficult to justify results if security gets bundled into a short-term ROI metric. That’s why for years security was thought of as an insurance policy, it was something business executives could understand.
Of course, when that happened, security programmes failed because too often business executives didn’t understand the risks – or were simply willing to take their chances and hope they were not the next target of a cyber attack.
Today, they have no choice but to understand. The threats – and the negative impact to the business in the form of downtime, customer trust, brand image, lost revenue, and damaged IT equipment – are all too well documented. As we look at what sets a strong security posture vs. a less mature one, it starts with executives reaching agreement and understanding the long-term benefits of having a robust security programme. The odds of success increase immeasurably if a company can nurture the long-term support of a security-first culture.
While many companies are applying financial constraints because of COVID, cutting security investments to achieve a short-term ROI can lead to a disastrous short-term outcome with potentially no long-term options. Companies should look to optimize their security investments.
Know that security starts at the top
CEOs need to take a leadership stance when it comes to security. This is for the simple reason that security programmes work best when CEOs position security as a critical element that helps make the company stronger, safer and more strategic. Security makes it possible for business leaders to focus on what’s most important – innovation, market growth and profitability.
Too often CISOs and security leaders develop security programmes that are only shared with employees on an annual basis. When this “one and done” approach is taken, security does not resonate at all levels of the business and hinders the desired outcome of creating a strong security culture. It creates a communication and education gap whereby security teams are left as the sole communicators responsible for company security practices.
So, making security a routine topic of business discussion in staff meetings, employee training, end-of-year evaluations, business strategy sessions, budget planning meetings, and mergers and acquisition evaluations can go a long way towards filling that gap. Security should be part of the culture, not just a yearly initiative to tick a box.
Assess risk continuously
Understanding how companies will handle business disruptions in the event of something unforeseen means that an organisation should understand the risks.
As organisations go through digital transformation, companies need to determine their appetite for risk and the rate of change they can absorb. Part of the planning needs to include ongoing risk assessment at the strategic, tactical and operational levels. Companies should determine the risks to any plan and in the event of a disruption, have a nimble enough strategy to mitigate any identified risks.
A strong cyber security practice works in tandem with line-of-business managers to continuously identify risk and its impact to the business.
Make security a shared responsibility
With the quick change many companies have made to enable an entirely remote workforce, it’s important for businesses to educate employees in their shared responsibility for security. After all, the human element represents much of the risk in an organisation.
As part of this education, employees should understand that security enables the business and the work that they do. For example, companies can look for authentication methods that reduce friction and make it easier for employees to access applications and do their jobs. If employees are connected to their work, they will connect to the need for better security.
Conversely, employees should recognise that they share in the overall security of the business, so by not bypassing these important security controls and using the designated business applications, devices and services – they can help keep the business safer. For example, when sharing the impact of compromised credentials and ransomware, executives can communicate that these cyber threats don’t just happen in the workplace but take place on personal devices as well.
Ultimately, security belongs to every employee in the company, from the C-suite down to the seasonal intern – everyone owns a portion of the exposed attack surface. Creating a security culture in which the entire workforce understands that security makes the business stronger and their jobs easier is key to keeping it buoyant in these uncertain times.
Author: Theresa Lanowitz, head of communications and evangelism, AT&T Cybersecurity