Why Building a Security First Culture is Business-Critical

In the smart, connected, and increasingly automated landscape businesses operate in today, the risk of exposure of sensitive data or infiltration by cyber criminals is becoming ever more prevalent. The increasing use of cloud services and third-party integrations are exposing companies to risks with the potential to disrupt operations, erode consumer trust, and ultimately damage business reputations to the detriment of the bottom line. That threat means an organization’s security processes need to be top of mind for employees, and is the reason why for every company building a security first culture is a critical mission.

Awareness But a Lack of Strategy

According to a recent report from Accenture, while there is an understanding of where risks might lie, there is also a shortfall in commitment to the integrated cyber security strategies and employee awareness processes designed to combat them.

• Less than half of new employees receive cyber security training and regular updates throughout their career
• Only four in ten respondents said insider threat programs were a high priority
• While almost three-quarters of respondents agreed that “cyber security staff and activities need to be dispersed throughout the organization,” cyber security is a centralized function in 74 percent of companies

Why is this happening? According to the study many of the problems stem from a lack of accountability, with business unit leaders rarely being asked to take responsibility for security, or to take security into account in product design. Security is more often than not the responsibility of the CISO and their team within the security silo. However, that responsibility is sometimes discharged without much input into business decisions, or an understanding of business goals.

• Less than one in four (22 percent) of business unit leaders are accountable for security
• Nearly half of CISOs surveyed indicated they were only brought in on new business opportunities after proposals had been discussed and agreed to by top management
• Four in ten security teams implement security policies without conferring with business units to understand how the new policies might affect their goals.

Much needs to be done it seems before embedding a security first culture becomes the norm for many companies and organizations.

Building a Security First Future

Business leaders need to change the mindset and develop an integrated cyber security strategy. One that knocks down the silo mentality, breaks down departmental barriers, and instills a culture of making security everybody’s job across the organization.

The Accenture study highlights several key ways this can be achieved.

1. Build cyber resilience. The security team should be involved in every aspect of the business strategy from top management, through the back office function, right to the frontline. Embedding security staff within business units encourages cross-collaboration and better communication. The focus needs to be not only on combating known risks, but also on looking to future needs when security strategies and budgets are considered.
2. Enable and empower security leaders. While some aspects of security will undoubtedly become more specialized as new risks evolve, security leaders will need to have a broader remit, with business skills to match. CISOs will become more “business savvy,” allowing them to speak to other business leaders in their own language, building bridges between security and other functions by becoming more of an influencer and less of an enforcer.
3. Involve employees. Employees are at the front line of cyber defense; indeed they can often be the cause of breaches by falling victim to phishing attacks. Creating a security culture should begin on day one for a new employee and continue throughout their career, embedding security as a core competency across the entire organization. Employees need to know they are all accountable for security, a philosophy that cybersecurity champions and incentives for security advocates can help to foster.
4. Advocate security to gain trust. Customers are often at the sharp end of security breaches so digital trust and privacy are high on their agenda. Hard earned reputations can be easily lost and businesses must go beyond basic compliance, acting as advocates for security with their customers. Designing security into products, services, and customer interfaces is essential to building trust, as is helping customers to understand how to better protect their data.
5. Security on a wider scale. Collaboration and integration on a wider scale, both within and outside a company’s own industry, are essential to building cyber resilience. A framework of formal mechanisms and procedures with suppliers, partners, and third parties will ensure a robust approach to cyber security.

This related post on the topic of how employees can improve security might be of interest: How to Create a Security First Culture Throughout Your Organization. You can also learn more about insider threats with this recent post on the topic: Insider Threats: What They Are & How To Handle Them.

The original version of this article was first published on Inspired eLearning.