How Gaps in Corporate Thinking are Damaging to Cybersecurity Culture
The cybersecurity industry does an extraordinary job of keeping a whole range of risks at bay. Yet, issues beyond the reach of experts and technology often contribute to breaches, and many organisations are now working hard to build a holistic culture – where cybersecurity is the responsibility of everyone – to keep businesses and their data safe. Yet, organisations often exhibit gaps in their corporate thinking that can be damaging to this approach.
But it’s a goal that is worthy of corporate time, energy and investment. Indeed, research from PWC and Harvard Business Review, revealed that 48% of respondents thought one of the CISO’s top five responsibilities should be to build an organisation-wide cybersecurity culture. This grew to 63% who say it will be a top-5 responsibility in three years.
The challenge for businesses, however, is often one of mind-set, and creating a functional cybersecurity culture requires a shift from tactical to strategic thinking. This starts at the top – leaders set the tone there are a number of key points that organisations don’t consider fully when identifying priorities and allocating resources. These gaps in corporate thinking include:
1. They aren’t up to date on how current threats could impact their organisation
From the latest breach making worldwide headlines, emerging industry-specific vulnerabilities or new research showing how minor cybersecurity trends are becoming major problems, organisations can be patchy in their risk intelligence and awareness.
The thought process here is about understanding the importance of security risk, how likely it is to materialise and the potential impact of any given event. Using a risk-based approach, organisations can identify which vulnerabilities are most likely to be exploited and assess their risk tolerance for each based on how important a system is. Organisations can only consider, prepare for and react to these issues if they have a strong access to data about the potential impact of those risks.
2. They don’t know how their level of risk compares to the norm
This is a very common problem among business leaders, who employ comparative thinking on a daily basis, but can’t easily apply it to cybersecurity risk. Yet, understanding industry norms is a very important tool in measuring your own efforts, and can provide vital context for organisations who want to know how their peers are prioritising cybersecurity.
The answer lies in developing broader industry knowledge, using benchmarking systems and participating in industry focused organisations. Many current risk management tools also offer benchmarking features, enabling users to benefit from a wider perspective and understanding of risks in their industry.
3. They miss out on quick wins that could significantly increase protection
Businesses should take time to think about what project or process they could implement that could greatly reduce their overall cybersecurity risk or attack surface with the minimal amount of effort or spend. The options are varied, but can start with steps such as implementing Multi-Factor Authentication across all users or automating the patch management process. Thinking in these terms can help improve overall standards without major financial outlay.
4. They don’t review their security spend regularly enough
Organisations should be reviewing their spending commitments on a regular basis and avoid the assumption that there isn’t an equivalent or better way that might also save money. For instance, many businesses retain legacy implementation of controls where the cost to maintain far outweighs the actual risk reduction. Checking whether there are cheaper or simpler solutions that would effectively do the same job or better might allow budget to be reallocated to the wider challenges of building a better security culture.
5. They need an honest appraisal of their security blindspots
One of the most useful lines of thinking organisations can adopt is prompted by the question: ‘Where are our biggest blind spots and what would it take to eliminate them?’ Adopting a mindset that keeps risk under constant review can prevent inertia and complacency taking hold within corporate cybersecurity culture.
A healthy approach on which to base cybersecurity strategy is one grounded in data and a willingness to think critically about where the organisation currently stands, where it is going, how long and how much will it take to get there. By taking a risk-based vulnerability management (RBVM) approach to answering these questions, business leaders and their cybersecurity teams can deliver more strategic value and shape corporate security culture for the better.
Stephen Roostan
Steve has over a decade of experience in cyber security and transformation projects, his role at Kenna is to rapidly grow the EMEA organisation to meet the customer demand for risk-based vulnerability management. Prior to Kenna he held senior sales roles at Forcepoint, Citrix and Imperva, focusing on IT solutions for complex, enterprise requirements. Steve has a passion for driving equality, alongside enabling flexibility at work for modern living. He has held steering committee roles in companies looking to close the gender pay gap and develop careers for working parents, and strives to find and support equality initiatives across the workplace and industry.