The business benefits of a strong cybersecurity culture
I recently discovered a fascinating C-suite report that used an apt metaphor to capture why culture is so challenging for businesses: Organizational culture is like an iceberg. That was Deloitte’s take, and it resonates with me.
The relatively small portion you see above the waves represents isolated, highly visible problems—like the employee who opens the door to an attacker by clicking on a link in a phishing email. But the bulk of the culture iceberg is submerged: the shared, but often hidden, beliefs and assumptions that ultimately allow those major security problems to occur.
That’s why creating a healthy cybersecurity culture is such a high priority—and also such a significant challenge. Employees are on the front line of a company’s cyber defense, and their involvement is critical not only in preventing compromise but also in helping the organization respond quickly to the few inevitably successful attacks. For this reason, I consider a security-aware workforce to be one of the three essential elements of a cyber-resilient organization, along with mature cybersecurity capabilities and security-focused technology operations.
The challenge is that building a cyber-resilient organization involves instilling a security-aware culture that involves all employees—including the board, executives, managers and line workers as well as IT and security experts. And changing the beliefs and assumptions of an entire workforce is not easy.
Cybersecurity Culture Drives Profitability and Brand Reputation
Yet meeting that challenge can deliver business benefits that extend far beyond a reduction in cyber-incidents, according to a landmark CMMI and ISACA study of the cybersecurity culture at more than 4,800 organizations worldwide. Yes, two thirds of organizations that successfully implemented a cybersecurity culture with substantial employee buy-in said they reduced cyber incidents as a result. That’s a huge benefit in itself.
But more than half of those companies also built strong customer trust and improved their brand reputation, and a substantial number increased profitability and speed to market. In fact, 87 percent of all surveyed organizations believe that strengthening their cybersecurity culture would increase profitability or viability.
The financial implications are perhaps not so not surprising, since other studies have found that more than half of corporate data breaches result in significant costs, sometimes including lost revenue, not to mention the long-term impact of a tarnished reputation.
Conversely, the risks of failing to establish a healthy cybersecurity culture include not only breaches and regulatory penalties but also missed business opportunities, poor customer retention, brand mistrust and high employee turnover.
So how are companies doing? As our study shows, organizations are taking steps in the right direction—but there’s still a long way to go. A great majority of organizations have strengthened their culture over the past five years; nearly all either have employee training in place now or plan to implement it in the next year, and they actively communicate cybersecurity policies and required standards behavior to their employees.
However, only four in ten organizations rate their attempts to establish a successful cybersecurity culture with employee buy-in as very or extremely successful, which means roughly 60 percent have seen limited or no success. Nearly all organizations believe there’s a gap between their organization’s current cybersecurity culture and their desired state—and for nearly a third of organizations, the gap is significant.
Bridging the Cybersecurity Culture Gaps
But why do these gaps still exist? And how can companies get better at fixing them?
One reason these culture gaps persist is many organizations still fail to recognize that implementing cultural change throughout any organization requires top-down commitment as well as bottom-up approaches, like employee training.
Let’s talk bottom-up first: Lack of employee buy-in or understanding remains the top factor inhibiting organizations from achieving their desired security culture. Despite companies’ increased emphasis on creating cybersecurity awareness, only a third of organizations believe that employees outside the security team have a good understanding of their role in the organization’s cybersecurity culture.
Clearly, employee education and communications are essential tools for creating a cyber-hardened workforce. Individuals are the weakest link in the cybersecurity chain, and making all employees aware of their role helps ensure that security practices are integrated into every aspect of business operations, not simply relegated to often underfunded security professionals and technology.
In our study, organizations highlighted clear, consistent policies and regular hands-on training among the top approaches that strengthen cybersecurity culture.Winning Top-Down SupportBut support from senior executives is also vital to ensure everyone follows those policies and behaviors—and that support is still lacking.
Many organizations say that lack of executive buy-in prevents them from achieving their cybersecurity culture goals, and note that the C-suite has only a limited understanding of their organization’s current cybersecurity culture. Many also cite other barriers that speak to a lack of commitment from the top, such as conflicting organizational objectives or a lack of funding. Such barriers may also reflect a lack of understanding: a healthy cybersecurity culture actually supports other organizational objectives such as profitability and brand reputation.
To gain senior support, it’s essential to communicate cybersecurity strategy to the board and C-suite in terms familiar to them: mitigation of enterprise risk. That’s something the CMMI Cybermaturity Platform was designed to do. It describes each company’s unique risk profile, then defines and measures the cybermaturity capabilities required to mitigate the organization’s most important risks, presenting the information visually in ways that board members easily grasp. The risk profile differs by industry and by company, depending on factors such as the company’s business focus and risk tolerance.
That risk profile should drive the development of security capabilities and the investment in cybersecurity technology—but it can also be used to shape the organization’s cybersecurity culture. Focusing cybersecurity awareness training and policies on the company’s major sources of risk maximizes the efficiency and effectiveness of your cybersecurity culture.
Developing and maintaining a strong cybersecurity culture is as dynamic a process as the development of the other two essential elements of cyber resilience, mature cybersecurity capabilities and technology. In a rapidly changing threat landscape, organizations should be continually examining their enterprise risks and adjusting their strategy to focus on the risks that matter most. Commitment from the top is essential to developing the strong cybersecurity culture that enables a cyber-resilient organization.
(This post originally appeared on the ISACA blog, which can be viewed here).