Building a Strong Organizational Culture

Building a Strong Organizational Culture to Manage Cyber Risk

 

 

Chris Swagler | June 6th, 2024

Maintaining a strong cybersecurity posture is more necessary than ever for businesses looking to grow within the market and provide excellent service to their customers. As cyber threats become more sophisticated and the resulting damage continues to increase, both financially and in terms of data loss, it is not enough for organizations to deploy off-the-shelf products and assume security will follow1.

Without a doubt, cybersecurity software and services—such as Endpoint Detection tools or various Risk Assessments—are essential to building a mature cyber program. For these to be most effective, however, requires that organizations confront cyber risk through the development of a business culture that has cybersecurity awareness as a core value.

When building such a culture, executives and business leaders must promote and demonstrate cyber awareness, and non-management team members must understand the basic nature of the threat landscape as well as their significant role in achieving organizational cyber maturity.

Cyber hygiene from leadership

A research report from Accenture focused on the “Cyber-Resilience CEO” found, after engaging 1,000 business leaders, that only 33% claim to have “deep knowledge of the evolving cyber threat landscape” and understand the steps necessary to respond appropriately according to these threats. This insight comes from the same group of executives who, at a rate of 96%, say they “understand the importance of cybersecurity…for organizational growth, stability and competitiveness”2.

While it is not necessary for a CEO to be an organization’s most cyber savvy team member, it is incumbent they set the tone for a culture in which each individual gains deep knowledge of their integral part in overall cyber resilience. To build an effective and lasting cyber-centric work culture, business leaders should hold risk reduction and data protection in as high regard as revenue generation or other bottom-line measures. One way to start is leading by example, which includes speaking to the importance of defensive cybersecurity practices, not simply delegating the responsibility of building a cyber program to the IT team.

What can this look like?

If protecting revenue and reputation are paramount to business leaders, so too should be limiting downtime, one of the greatest challenges following a cyber incident. According to Information Technology Intelligence Consulting, research indicates the “hourly cost of downtime now exceeds $300,000 for 91% of SME [small and medium sized enterprises] and large enterprises3”.

A few ways a business leader can help prevent downtime involves setting the tone through establishing policies, allocating resources, and prioritizing cybersecurity as a strategic objective. One specific measure could include owning a part of the organization’s incident response (IR) plan. Engaging in tabletop exercises and holding a specific responsibility, for instance, would provide members of the executive leadership team—some of whom should be on the internal IR team—at least a basic understanding of all aspects of the incident lifecycle and a tangible level of accountability. The signal sent to the rest of the team is that every individual has a role in safeguarding core operations and business critical data.

Beyond this, leaders can assist in establishing clear policies, which are ideally reflected in the organization’s larger culture statements. The promotion of continuous improvement, learning, and adaptation—both at an individual and organizational level—when it comes to cyber practices will have significant and lasting effects on enterprise resilience.

Establishing this culture is expensive as it requires training, frequent assessments, practice, and the deployment of appropriate tools. As such, leaders can allocate resources in such a way to further reflect the culture they wish to establish. A 2023 survey from Moody’s noted that businesses earmark approximately “8% of their technology budgets to cybersecurity”4.

While no specific percentage is correct or best suited for building an optimized cyber program, budgets reflect priorities, and if leaders wish to prioritize the security of employee and customer data, as well as internal IP, allocations should reflect that with responsible spending that minimizes risk and the organization’s overall attack surface.

Cyber hygiene outside of leadership

Human error is still a leading cause of breaches, with varying percentages demonstrating the fact, and it must be addressed within any cyber focused business culture. Team members should be aware of this statistic—as well as its underlying impact—and educated in a way that promotes important behaviors. The fact of the matter is that every clicked email, use of public wi-fi, or period of inattention paid to a secure area can be an opportunity for threat actors (including malicious insiders) to act in a way that harms customers and/or employees by leaving highly sensitive information vulnerable to theft.

A report provided by the director of the National Counterintelligence and Security Center linked a healthy overall culture to a healthy cyber culture in pointing out that “disgruntled employees [are being] recruited to steal data or IP” to benefit threat groups or state sponsored actors5. Phishing and social engineering awareness training are certainly important in combating predatory threat actors; however, if employees do not understand and buy in to the importance of the why, such efforts may prove ineffective. In other words, an inclusive personal culture promotes an effective cyber culture.

Nurturing cyber-minded employees within a business can take on a similar process as with any other component of an organization’s values, mission, or vision. Cyber, arguably, should be embedded within these staples as they are firmly oriented in delivering security, service, peace of mind, and value to employees and customers without regard to what is manufactured, sold, or delivered. Providing clear expectations, responsibilities, and guidelines for cyber-minded behavior is a must as every employee with a work-issued or network connected device ultimately holds what represents a gateway to a lot of data threat actors would love to get their hands on.

To most effectively combat the current and future cyber challenges, organizational leaders must set the tone from the top by prioritizing cybersecurity and demonstrating a commitment to its importance. They should communicate the significance of cybersecurity to all employees and stakeholders, emphasizing that it is a shared responsibility. Concurrently, every team member must understand the importance of being cyber aware and be supported with the tools and training necessary for proper behaviors to follow.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.

Sources

  1. Cost of a Data Breach 2023 | IBM. https://www.ibm.com/reports/data-breach. Accessed 15 July 2024.
  2. Cyber-Resilient CEO | Cybersecurity | Accenture. https://www.accenture.com/us-en/insights/security/cyber-resilient-ceo. Accessed 15 July 2024.
  3. Didio, Laura. Hourly Cost of Downtime – Information Technology Intelligence Consulting. https://itic-corp.com/tag/hourly-cost-of-downtime/. Accessed 15 July 2024.
  4. Moody’s Cyber Survey. https://www.moodys.com/web/en/us/about/insights/data-stories/2023-cyber-survey-highlights.html. Accessed 15 July 2024.
  5. Caminiti, Susan. Chinese Spies Are Targeting Disgruntled Workers within U.S. Corporations, Warns National Counterintelligence Head Michael Casey. 5 June 2024, https://www-cnbc-com.cdn.ampproject.org/c/s/www.cnbc.com/amp/2024/06/04/china-spies-targeting-disgruntled-us-workers-counterintelligence-head.html.

Categories

Connect With Us

Featured Articles

EDR Silencers
Responding to the Exigent Emergence of EDR Silencers
06 December 2024
Illusion of Invulnerability
How the Illusion of Invulnerability Can Elevate Business Risk
22 November 2024
Critical Role of Annual Assessments
The Critical Role of Annual Assessments for Preventative Cyber Care
11 November 2024
Cybersecurity Measures
Enhancing Cybersecurity Measures for Business Continuity
29 October 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

inside the soc

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
shadowspear platform

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
shadowspear demo

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.