Building a culture of cybersecurity

IT security, online security, cyber security czar, cyberinsurance, cyber resilience

Cyberattacks are a major concern for business leaders. Organisations need to shift their mindset and understand that security must be treated as a critical business concern. However, corporate leaders who recognise its importance may not know how to guide their organisation’s cybersecurity strategy.

Here are six guiding principles to help senior leaders assess and improve their organisation’s approach to cybersecurity.

Principle one: Integrate cybersecurity into the business strategy

Senior executives and board members need to be directly involved with quantifying cybersecurity efforts and lead the way in advancing new approaches to its costs and returns. Leaders should start by identifying the company’s data crown jewels, before integrating cyber risks into the tools already used to evaluate new opportunities, such as scenario modelling, ROI analysis, competitive analysis, and a formal review of emerging technologies.

Principle two: The corporate structure should reinforce a culture of cybersecurity

Without cybersecurity explicitly built into the culture, an organisation can’t communicate true commitment to it. Boards should appoint one member to specialise in and report on cybersecurity issues. The entire board should still remain involved and informed, however, and should delineate a clear cybersecurity chain of command. They should map out the accountability for cybersecurity, starting with the board and extending down to the specific individual tasked with protecting the business from cyber threats. Staffing and compensation should reflect its importance.

Principle three: Employees are the biggest risks

Employees may inadvertently jeopardise data, steal information for a competitor, or sell data or intelligence. Controlling access to company data can significantly improve the chances of catching this behaviour before it causes devastating damage. Investing in cybersecurity professionals’ training reaps rewards for the organisation and is essential for staying abreast of current threats.

Principle four: Detect, detect, detect

The longer it takes to detect a data breach, the more expensive the data breach becomes. Although senior leadership cannot be involved in actively detecting each security problem, executives can help make sure that detection is prioritised and can create incentives to encourage cybersecurity reviews. Relevant committees at the senior level should formally review reports generated from third-party auditing. In addition, they should establish a feedback loop so that insights from these studies are immediately incorporated into existing processes, policies, and manuals.

Principle five: Data protection – collect what’s required, share only what’s necessary

Organisations need to have flexible and adaptable approaches to protect data. They should collect only business-critical data and should have clear plans and a realistic estimate of the resources required to collect, store, protect, and analyse the data. When it comes to vendors, businesses should understand what data they can access and how they gain access to it. Before signing a contract with a new supplier, businesses should conduct an external audit to ensure that the supplier meets the organisation’s standards and follows the security measures promised.

Principle six: Develop robust contingency plans (and test them)

A formal incident response team is a critical component of a cybersecurity strategy. Businesses should create internal crisis management playbooks, prioritise the most likely cybersecurity threats, and create the most robust and detailed plans for those scenarios. They should include key departments across the organisation including legal, communications, marketing, and human resources, depending on the kind of threat.

Leaders must view cybersecurity as part of the broader risk management process, rather than jettisoning it off as a technology problem with a technology solution. The most successful cybersecurity approaches are not necessarily the most expensive, but they do require persistence, attention, and prioritisation.

Sean Murphy, ANZ Channel Community Executive Council Member and Owner, Nexus IT