Today’s smart, connected, and the increasingly automated world presents businesses with more risks of exposing sensitive data or being compromised by cybercriminals. Companies are increasingly using cloud services and third-party integrations, posing threats such as disruption of operations, erosion of consumer trust, and ultimately damaging their reputations to the detriment of their bottom line. As a result, all companies need to teach their employees that security processes are critical and should be top-of-mind.
Awareness but a Lack of Strategy
According to recent reports from Accenture, despite awareness of where cyber security risks may lie, there is also a lack of commitment to integrating cyber security strategies and workplace awareness programs designed to combat them.
- Cyber security training and regular updates are received by less than half of all new employees.
- Insider threat programs are low on the priority list for only four out of ten respondents.
- Despite being agreed by almost three-quarters of respondents that “cyber security activities and personnel should be dispersed across the organization,” cyber security is currently a centralized function in 74 per cent of organizations.
Why does this happen? Business unit leaders rarely take security responsibility or consider security in the design of products, which is said to be to blame for many of the problems. CISOs and their teams within security silos are typically responsible for security. Sometimes, though, they are not given much input into business decisions and have little understanding of their business objectives.
- Business unit leaders are held responsible for security by less than half (22%)
- According to the CISO survey, nearly half of all top management has to review and approve proposals before bringing in new business opportunities.
- It is estimated that four out of ten security teams implement new policies without consulting their business counterparts first to understand how they might impact their goals.
Security first culture has a long way to go before it becomes the norm at many companies and organizations, it seems.
Building a Security First Future
Cyber security strategies need to be developed by business leaders with a new mindset. A security culture eliminates the silo mentality, breaks down departmental barriers, and makes security everyone’s responsibility.
This can be achieved in several ways, according to Accenture.
- Enhance cyber resilience: The security group should consider every aspect of the business strategy, starting from top management right through to the frontline. Cross-collaboration and improved communication are encouraged by embedding security professionals within business units. Security strategies and budgets must consider future needs in addition to combating known risks.
- Empower and enable security leaders: There is no doubt that some aspects of security will become more specialized as new risks emerge, but security leaders will need a broader remit and business skills as applicable. To build bridges between security and other functions, CISOs will become more “business savvy,” which will allow them to talk in the language of other executives, enabling them to influence instead of dictate regulations.
- Encourage employee participation: Employees play an important role in cyber defence; phishing attacks often lead to breaches due to employee negligence. Establishing a security culture should begin from the first day a new employee starts at the organization and continue throughout their career. Incentives for security advocates and cybersecurity champions can help foster this philosophy. Ultimately, employees must assume accountability for security.
- To build trust, advocate security: Digital trust and privacy are high on the agenda for customers because they are at the receiving end of data breaches. It is easy for businesses to lose their hard-earned reputations and act as advocates for their customers’ security, going beyond the fundamentals of compliance. Providing customers with information about how to protect their data better is essential for building trust, as is designing security into products, services, and user interfaces.
- Broader security: Cyber resilience can only be built by collaboration and integration across industries and within them. Cyber security will be robust if a framework of formal mechanisms and procedures is established with suppliers, partners, and third parties.