Cybersecurity should no longer be viewed as a function of information technology alone. The review of cyber security as a function should move under COO or CEO. It needs to form an integral part of culture and strategy of the organization. It should be reflected in every facet of the organization, right from the strategy to the behavior of an individual employee. We have also started to observe that the performance of any business on stock market is also dependent of their cyber security policies and practices.
An organization’s security culture is not something that grows in a positive way organically. One must invest in a security culture just when a security culture is sustainable, it transforms security from a one-time event into a lifecycle that generates security returns forever. A sustainable security culture has four defining features.
One, it is deliberate and disruptive. The primary goal of a security culture is to foster change and better security, so it must be disruptive to the organization and deliberate with a set of actions to foster the change.
Two, it is engaging and fun. People want to participate in a security culture that is enjoyable and challenging.
Three, it is rewarding. For people to invest their time and effort, they need to understand what they will get in return.
Four, it provides a return on investment. The reason anyone does security is to improve an offering and lower vulnerabilities; we must return a multiple of the effort invested.
It is an established fact that the computers do exactly what we tell them to do. The challenge is with the humans, as they need a framework to understand what is right thing and what is wrong for security. Making of cybersecurity culture includes following points –
One, cybersecurity is the battle that can only be won by joining hands with other companies that are part of the ecosystem;
Two, the journey of the cybersecurity culture must start with identifying and defining Internet governance in collaboration with governments and regulators;
Three, the code of cybersecurity ethics can be created for each industry separately based on their needs;
Four, the act of cyberattack transparency will build trust with everyone from suppliers to customers;
Five, CEOs should be presenting cyber security as the DNA of the organization which is a part of their business model and value chain, including their leadership structure;
Six, CEOs should acknowledge that cybersecurity is not an “add-on” feature, instead, it is an integral part of “security by design”.;
Seven, organizations should start to bring CISO (Chief Information Security Officer) to the board, who will help organizations protect Cybersecurity Value Chain;
Eight, CEOs are in a position to influence Internet service providers as a first action to make the Internet more secure and to invest in implementing better base Internet protocols;
Nine, despite many organizations focusing on developing cybersecurity awareness, not all individuals understand their role in the organization’s security culture;
Ten, cyber security awareness is about changing the view of individuals who have the opinion that only security department is responsible for cyber security;
Eleven, lack of employee buy-in is one of the main reasons that it is difficult for organizations to instill proper cybersecurity culture in their workforce.
Organizations can work on the idea of setting up the cyber security community within the organization. It should be seen as the backbone of sustainable security culture. Security community is achieved by understanding the different security interest levels within the organization and addressing their needs.