WWW.INFORMATIONWEEK.COM
How to Create an Enterprise-Wide Cybersecurity Culture
John Edwards, Technology Journalist & AuthorDecember 27, 20245 Min ReadYuri Arcurs via Alamy Stock PhotoAs the threat landscape grows, investment in cybersecurity training and awareness programs is expanding rapidly. The reason is simple -- cybersecurity's weak link is people and how they behave. It's a challenge that many experts now believe can only be resolved through an enterprise-wide culture change.Prioritizing cybersecurity and building an enterprise-wide cybersecurity culture is essential, says Jennifer Sullivan, a principal in Deloitte's cyber strategy practice. In an era of rapid technological evolution, cyber threats pose significant risks to organizations' operations, reputation, and financial stability. "Cultivating a culture of continuous education and awareness empowers every employee to take ownership of cybersecurity, supporting sustainable growth and innovation," she states in an email interview. "By prioritizing cybersecurity, potential vulnerabilities can be transformed into strategic strengths, ensuring a long-term culture of resilience and trust both inside and outside the organization."Getting StartedThe first step in creating an enterprise-wide cybersecurity culture is building a comprehensive policy that establishes what's considered right and wrong. "This policy should be clear, well-documented, and easily accessible to everyone in the organization," advises Erez Tadmor, field CTO at security policy management company Tufin, in an online interview. The policy should outline network security rules, such as access controls and data communication standards, setting the foundation for expected behaviors, he explains. "When all security teams align with these guidelines, it fosters a sense of unity and responsibility that becomes ingrained in the companys culture."Related:Promote ownership in cybersecurity functions, recommends Amanda Satterwhite, Accenture Federal Services' managing director of cyber mission and enablement. This goal can be most effectively achieved by assigning security roles and responsibilities across various levels or teams within the organization, she notes via email. Rewards and recognition are also important. "Reward employees who demonstrate strong cybersecurity practices and who willingly take the time to report potential threats through vigilance."Make cybersecurity a factor in each employees annual performance, Satterwhite advises. "This ensures that individuals clearly understand what's personally expected from them," she says. "Setting minimum security performance goals for each individual fosters a culture of accountability and shared responsibility."Related:Cybersecurity culture planning requires a cross-organizational effort. While the CISO or CSO typically leads, the tone must be set from the top with active board involvement, Sullivan says. "The C-suite should integrate cybersecurity into business strategy, and key stakeholders from IT, legal, HR, finance, and operations must collaborate to address an ever-evolving threat landscape." She adds that engaging employees at all levels through continuous education will ensure that cybersecurity becomes everyone's responsibility.Culture BuildingLiberty Mutual Insurance builds its cybersecurity culture with "Responsible Defenders," a culture-based awareness initiative that's designed to educate the firm's 45,000 global employees about their role as frontline guardians against cyberattacks. "The program aims to educate employees about their responsibility to keep sensitive customer, employee, and company information secure," says Jill Areson-Perkins, a cybersecurity manager at Liberty Mutual Insurance, in an online interview. The program's goal is to keep employees engaged throughout the year with social engineering exercises, gamification tactics, blog posts, videos, and online training and events. "As the cyber threat landscape continues to evolve, we regularly update and enhance our training and education."Related:Liberty Mutual also fosters a cybersecurity environment by deploying exercises that use real phishing emails as templates. Employees that fail the exercise are given real-time training that highlights the rogue emails' suspicious components. "We also provide a 'Friends and Family Cyber Guide' for employees to share externally." The guide offers tips on topics such as 'phishy' emails, password management, and social media privacy, Areson-Perkins says. "By actively engaging every employee, as well as senior leaders and business partners across the company, we cultivate a culture where everyone feels empowered to safeguard the company."Final ThoughtsA big mistake many organizations make is treating cybersecurity as a separate initiative that's disconnected from the organizations core mission, Sullivan says. "Cybersecurity should be recognized as a critical business imperative that requires board and C-suite-level attention and strategic oversight."Creating a healthy network security culture is an ongoing process that involves continuous learning, adaptation, and collaboration among teams, Tadmor says. This requires more thought than just setting policies -- it's also about integrating security practices into daily routines and workflows. "Regular training, open communication, and real-time monitoring are essential components to keep the culture alive and responsive to emerging network threats," he says. "By making network security a shared responsibility across the organization, companies can build a resilient and adaptive security posture."Seek clarity and openness, Satterwhite suggests. "One of the biggest mistakes in building a cybersecurity culture is adopting industry buzzwords that don't resonate with employees," she explains. Use company-aligned terms in internal campaigns that promote the importance of securing the companys mission. "Make sure that the messaging is clear and understandable at every level of the organization."About the AuthorJohn EdwardsTechnology Journalist & AuthorJohn Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic Design. He has also written columns for The Economist's Business Intelligence Unit and PricewaterhouseCoopers' Communications Direct. John has authored several books on business technology topics. His work began appearing online as early as 1983. Throughout the 1980s and 90s, he wrote daily news and feature articles for both the CompuServe and Prodigy online services. His "Behind the Screens" commentaries made him the world's first known professional blogger.See more from John EdwardsNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeWebinarsMore WebinarsReportsMore Reports
0 Σχόλια
0 Μοιράστηκε
33 Views