Building a cybersecurity culture in an organisation
3 min

Creating a Culture of Cybersecurity in an Organisation

Posted by: TÜV SÜD Expert Date: 06 Jul 2023

While every employee in an organisation is responsible for facilitating a culture of cybersecurity, the primary onus lies with the management. From strategic decision-making to budgeting, planning, and implementing, the management plays a pivotal role in implementing a new culture that trickles down to the employees at other levels.

Cybersecurity needs to be an essential part of the overall digital transformation strategy of the organisation. This article will explain how the management can implement cybersecurity, proactive and reactive strategies, and ways to make it a part of the culture.


How Should the Management Implement Cybersecurity?

According to the guidelines of the World Economic Forum, there are six principles [1] to creating a cyber-attack-resilient company:

  1. Cybersecurity should be a strategic business enabler
  2. Understand the economic drivers and impact of cyber risk
  3. Align the cyber-risk management protocol with the business needs
  4. Ensure that the organisational design supports cybersecurity
  5. Incorporate cybersecurity expertise into the board governance
  6. Encourage resilient systems and greater collaboration among teams

Cybersecurity must consider strategic and enterprise risks, not just threats to IT systems. The management must clearly understand the legal implications and have insurance to mitigate the financial damages in addition to a cybersecurity plan.

PRoactive and Reactive Cyber Protection (Incident Management) Strategies

Continuous cyber risk assessment is essential for incident management within a company. It is best to compile a list of potential risks and constantly update them for proactive cyber protection strategies. Here is a brief explanation of the proactive and reactive strategies for cyber protection in a company.

Proactive Cyber Protection

Proactive or preventive cyber protection includes identifying, evaluating, and managing potential risks and their damage. The proactive cyber protection document helps map the types of risks with the business activities.

The team works together to document the critical points and vulnerabilities of the information systems, networks, and connection methods. After mapping, the document defines the steps the company needs to take to reasonably secure the systems.

However, the company must have a plan and be prepared for situations where reactive cyber protection (incident management) is needed.

Reactive Cyber Protection

The reactive cyber protection plan outlines the actions in case of an unforeseen incident that was not a part of the proactive cyber protection document. It will provide clear guidelines to follow in case of data breaches and any other cyber-attacks. Both proactive and reactive cyber protection documents synchronise with each other.


Make Cybersecurity A Part of Culture

Companies, where both the employees and the management take active steps to prevent cyber-attacks have an excellent cybersecurity culture. Some of the important factors that influence a healthy cybersecurity culture within an organisation are:

Leadership and Commitment from the Top Management

The decision-makers or leaders should prioritise cybersecurity and promote the culture throughout the company by setting examples. They must allocate sufficient human resources and budget to implement cybersecurity and provide the necessary support and training.

Education and Training Tailored to the Job Functions and Roles of Employees

Once the senior management has initiated and implemented the cybersecurity culture, it is the responsibility of the employees to actively pursue it. The employees must have the necessary knowledge and skills to implement cybersecurity. This knowledge comes through corporate training on daily best practices and an overview of new threats. Regular training is necessary to mitigate the risks and make cybersecurity a part of the culture.

Cybersecurity training is not a one-size-fits-all approach. For an effective security awareness culture, it is important to tailor the training to the nature of work and the department of the employee. For example, those who handle financial data may need different training than those who handle customer data on a CRM. Development and testing teams that work directly on the code of a software product need to understand and implement cybersecurity practices from a whole new perspective.

Clear Policies and Procedures

Both management and employees must have clear policies and procedures to protect sensitive information and report in case of a breach. The cybersecurity team must define the process clearly using flowcharts or other means and conduct regular employee training. They also need to regularly review and update the processes.

Regular Testing, Assessments, and Audits

Companies need an expert cybersecurity partner to review the systems and processes, identify vulnerabilities, and design a process to handle cyber threats proactively and reactively. The external agency will perform regular security audits, do system penetration testing, and simulate numerous real-life cyber-attack scenarios.

Collaboration and Communication Between the Teams

Sharing information about vulnerable systems and potential threats across departments helps the company achieve greater overall cybersecurity. This helps create a common database of threats, using which the cybersecurity team can coordinate efforts and collaborate on developing and implementing strategies.


Conclusion

Managing a company’s cybersecurity is no longer limited to technologists only. Conventional cybersecurity frameworks keep cybersecurity in silo, away from senior management and employees. The senior-level discussions, if any, about cybersecurity were just to satisfy compliance obligations.

However, things are changing fast over the last decade. Businesses, irrespective of the industry, are making cybersecurity a part of their core culture. From managing data on individual desktops to cloud servers and networks, employees, at every step, must know the company’s cybersecurity protocol.

 

 

References:

  1. Weforum, https://www3.weforum.org/docs/WEF_Cyber_Risk_Corporate_Governance_2021.pdf

เรื่องที่เกี่ยวข้อง

เลือกที่ตั้งของคุณ