Firewalls are in place. Password policies are written. Everyone took the training. So why is your organization is still at risk for a cybersecurity breach? Good cybersecurity is not just about developing good policies and procedures. It’s about cultivating a cybersecurity culture — and that requires leadership. The best indicator of a cyber culture is whether the people in decision-making positions understand cybersecurity, talk about it, prioritize resources for it, and follow it themselves.
We’ve identified six actions that leaders actions can take to create and support a cybersecure culture.
Nearly every organization has a compliance team to analyze risk and implement change. These teams need to involve people from across the organization. Who better to represent specific needs or share departmental challenges? Because being involved requires working knowledge of IT systems and more than a basic understanding of cybersecurity, involving representatives requires an investment. Involving everyone also requires clear communication about change, that is, what will happen, when, who it impacts, and why it’s important.
Connect Security to Mission
Every person in an organization needs to shoulder responsibility for cybersecurity. After all, an attack could begin with a careless click on a link. Tying cybersecurity to the organization’s mission allows each individual to accept responsibility for vigilance.
Invest in Expertise
No organization has all the resources it needs to implement a robust and evolving cybersecurity program. Choosing a good outsourcing partner that complements internal resources sends the message that expertise is a good investment. In the same vein, leaders should invest in offering training that moves beyond the basics of password protocols.
Policies shouldn’t be one-size-fits-all. Consider a policy that prevents downloading any electronic files. That looks fine on paper, but it would be impossible in reality for parts of the organization that routinely need to access data or reports from outside sources. Thoughtful policies start with the philosophy, “Don’t tell me what I can’t do, tell me how I can do it safely.”
Invest Upfront Instead of Cleaning Up Later
Organizations with a cybersecurity culture understand and prioritize preventative measures. They know that investing in comprehensive controls and training is expensive, but is far more affordable than the costs to recover after a breach. Leaders who delay or ignore cyber issues are inviting targets that put related organizations and shared systems at risk too.
Walk the walk
Finally, as noted earlier, leaders need to show their personal commitment to cybersecurity. Here’s how to do that:
- Consider cybersecurity in operational and strategic decisions.
- Demonstrate that they personally follow protocols.
- Have zero tolerance for noncompliance.
- Seek expertise and outside perspectives about cybersecurity issues.
- Prioritize budgets, time, and other resources for cybersecurity.
- Test employees to promote vigilance.
“Leaders must thoroughly analyze their “why” for cybersecurity and be very clear regarding their choice. The chosen strategy will cascade down to operational activities, which will then drive business outcomes. You can’t afford to be aimless or generic with your cyber strategy — there’s too much at stake.”