For too long, cybersecurity has been looked at as one team's responsibility. If we maintain that mentality, we will fail.
Leaders around the globe are not naive regarding the impact cyberattacks have on a business. From affecting the bottom line to losing your customer's trust, recovering from a cyberattack isn't easy. When an organization succumbs to an attack, nearly every business unit is affected, costing the business, on average, $3.86 million. While most CSOs and CISOs want to be the ones to prevent and fix this, they must realize they can't take this on alone. There is a strong argument to be made that cybersecurity needs to go beyond the CSOs, CISOs, and their teams. Security needs to be a companywide effort and embraced as part of the company's core culture.
Most have heard the saying "Culture eats strategy for breakfast," and CISOs around the world know how true it is. The adage carries over to the security world in a basic way. Any security strategy or plan you're trying to implement will be held back by the people you depend on if the culture does not support it.
Today, many companies are struggling to embrace a culture of security. Only 5% of organizations believe that no gap exists between their current cybersecurity culture and their desired cybersecurity culture, according to a recent survey put out by ISACA. This means that a whopping 95% of organizations see a disconnect between the culture they have and the culture they want. So, what can businesses do?
Accept That Your Security Team Can't Do It Alone
One of the challenges in cybersecurity is that most organizations take the approach of having one security team and thinki that one team can address all cybersecurity threats and needs. In reality, cybersecurity goes far beyond just the security team. Products and corporate assets are never "owned" by the cybersecurity team, and those who do own them likely have very different objectives than the security team.
Security needs to become something that all departments think about. That doesn't mean sales or engineers need to become technical experts in security, but they do need to start bridging the gap by asking questions, understanding the risks, and knowing how they fit into the solution. In fact, that is what must happen if we want to succeed.
Establish Relationships with Different Business Units
Security leaders will always be the biggest cheerleaders for cybersecurity, but when other departments openly embrace it, their teams will follow. Security teams must enlist the support of departments including human resources, communications, marketing, product development, legal, and more. While not all will sign on, most reasonable leaders will recognize how doing so helps the company achieve its objectives.
Spend time talking to the different department leaders to find where your interests align and how you can work together for mutual benefit. For example, product quality and security are often viewed and measured as two different elements owned by two separate departments. However, customers don't see it that way. If a product is high in quality but lacks security, it ultimately isn't a high-quality product.
Likewise, customer privacy can't exist without security, and a sales team that can't speak to the security of their products can't understand and help manage customer risk. Businesses need to start to make those types of connections, and it will happen more naturally when cybersecurity is engrained in the culture.
Get Buy-in from the C-Suite
Studies show that top executives and boards of directors see cybersecurity as a top issue facing companies. The question is: Are leaders taking action or expecting their CISO to fix the problem? We've found the answer requires both. In another role, we were able to get the C-suite to establish security goals as part of their annual objectives. These goals were ones that the C-suite, not just the CISOs, were measured against. That was a successful cultural change.
It's time that we recognize security for what it is: a business and leadership concern. Executives must prioritize security in the same way they do all other business risks. They must recognize that not all the actions to address the risk will begin with the CISO. In fact, they are likely to find most do not. The CISO needs to develop the strategy, guide and advise throughout the process, provide measures, teach, and coach, but the CISO can help the most by accepting that they cannot be the one that does it all, regardless of the size of the team. Without leadership from the top, cybersecurity will remained siloed and viewed as a specialized technical issue rather than the cultural one it is.
For too long, cybersecurity has been looked at as one team's responsibility. If we maintain that mentality, we will fail. Cybersecurity needs to be a part of a culture, and security needs to be at the core of the company, lead by executives. It's no longer good enough for the security department to be the last stop on a checklist of things to do — we need a team approach instead.