Securing the future: Cyber security readiness report

Chapter 9: Improving security culture

There’s no doubt that implementing the right cyber security solutions is critical for addressing threats. However, many organizations also need to make changes in their company culture. Developing a stronger cyber security culture can help combat a rising number of threats while offsetting the challenges of constrained budgets, talent shortages, and conflicting priorities.

What kinds of culture changes are required? Security leaders must first enhance understanding and awareness. Employees need to understand how attacks happen. They must be educated about phishing schemes and stolen credentials as well as the web attacks, distributed denial-of-service (DDoS) attacks, and zero-day exploits that can bring businesses to a halt. They should be trained on how to identify attacks and how best to report them to security.

At the same time, they should understand the importance of preventing cyber attacks. They should know that successful attacks can have wide-ranging consequences — including brand reputational damage, lost customers, and significant financial losses.

In addition, employees must understand why they shouldn’t install new apps on their own or find ways to skirt security policies. Some tech-savvy employees might believe it is simpler and faster to solve seemingly minor technical challenges on their own. But by participating in shadow IT, they could be putting their organizations at serious risk.

As security teams educate employees, they should make it clear that company security is a shared responsibility. Employees are often the first line of defense against threats. Empowering employees to identify and report incidents can play a key role in preventing breaches.

Successfully sharing responsibility for corporate security can ultimately alleviate some of the budget and personnel challenges facing many organizations. For example, when employees can better identify phishing attempts, they are less likely to fall for those schemes and inadvertently give away credentials that open doors for criminals. And fewer successful phishing attempts will reduce the number of breaches that security teams must address.

Enhancing awareness and understanding must extend all the way up to the executive suite and boardroom. When security leaders can educate other executives and board members about the prevalence of attacks and the tremendous harm those attacks can cause, they can garner support for security-focused programs and policies, and gain approval for larger security budgets.

Improving awareness among executives can also help produce champions — influential leaders who advocate for shifts in attitudes and behaviors across the company. Champions can inspire employees to internalize security values and adopt critical policies.

When a company has a strong security culture, CISOs can be more proactive. They can move forward with security initiatives and strengthen preparedness — without having to wait for incidents to occur.

Building a robust cyber security culture can have real, tangible cyber security benefits. In the latest Forrester research study, approximately 60% of respondents reported that improvements in corporate culture enabled their teams to respond faster to incidents in the past year. As many organizations struggle to bolster preparedness for the next attacks, enhancing awareness and understanding among employees can be one of the best investments they can make.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Key takeaways

After reading this article you will be able to understand:

  • Survey results from over 4,000 cyber security professionals

  • New findings on security incidents, preparedness, and outcomes

  • Considerations for CISOs to secure the future and achieve better outcomes for their organization

Receive a monthly recap of the most popular Internet insights!