It may sound odd, but cybersecurity and company culture are, in many ways, extremely similar. Hear us out on these commonalities:
- Importance: both a robust and effective cybersecurity strategy and a functional and inclusive company culture are critical for business success. You’re unlikely to find a corporate leader who wouldn’t agree on the culture front, but many also believe (to their own detriment) that cybersecurity is less important or an unnecessary expense — until of course, it’s not (and too late!).
- Impact: every organization has a culture and most have some level of cybersecurity. However, each one has the potential to make or break the company if not taken seriously. Just as a toxic work culture can hinder a company’s success, ineffective or immature security systems can result in devastating results for the company’s bottom line.
- Upkeep: neither a company’s culture, nor their cybersecurity strategy and programs can be created or purchased and then left unattended. Both require constant vigilance, maintenance, and participation/support from everyone in the company.
Now, thriving corporate culture and effective cybersecurity don’t happen overnight. They both require time and resources to build and foster success, beginning with 5 simple steps.
5 Steps to Improve Both Cybersecurity and Company Culture Within Your Organization
Step 1: Obtain senior level sponsorship.
Sponsorship is built around awareness in an immersive way. It cannot take a break, find another path, or lose its way. Like any good sponsor, it needs to be ever available and present.
Cybersecurity, like culture, needs advocates across different teams. IT and InfoSec are obvious, but HR, finance, and sales are equally important to spread awareness organization-wide.
Obtaining this senior level and multi-department sponsorship means having a solid process in place that can easily be incorporated and understood by every team. Keep it simple and applicable to each team, as a process applicable to finance may not be equally applicable for sales.
Step 2: Educate employees at all levels of the organization.
We live in a rapidly evolving, increasingly digital world where education takes the form of varied mediums. Some folks require smaller, digestible bites of information, others a library to feel confident in their understanding of any initiative.
We can often choose not only how to be educated and informed, but also our level of immersion.
Speaking specifically to cybersecurity, threats often happen in waves, and major exploits can bring things to the surface as a priority, such as the recent Microsoft Exchange exploit. When such incidents happen, everyone must be ready to jump into action. This means calling on prior education to determine messaging, response, mitigation, etc. If that initial education is lacking, any response needed would likely be too late or inaccurate, resulting in greater damage.
Step 3: Make it as easy as possible to identify issues that need to be addressed.
Implementing cultural changes always come with some degree of discomfort, meaning there will likely always be people who aren’t fully on-board with a new program or initiative. Identifying whether those changes result in a positive or negative long-term impact can take time, but by the point any negative impact is noticed and acted upon, the impact has often been too great and is more difficult to recover from.
Cybersecurity is much the same, although the impact of a threat gone unnoticed is arguably greater, if only because the negative impact can happen in an instant. Ensure your organization has a dashboard or single source of information that make it easy to quickly identify exploits and vulnerabilities.
Further, don’t disregard incidents that seem small. If there is one or a few bad apples perpetuating a toxic culture, don’t underestimate the larger impact those few can have on the whole. With cybersecurity, don’t assume a seemingly minor incident is just that… minor. There is always the possibility it can be the start of a major breach. Equip everyone with the ability to detect and report these seemingly isolated incidents, so that they can be addressed quickly before further damage is wrought.
Step 4: Encourage and recognize successful efforts.
It’s all too easy to focus on the negative but be sure to take time to recognize improvements across the organization and recognize the right actions.
Build a relationship with sponsors around the company and acknowledge improvements from their areas or with their systems, so they understand the value of their focus.
Also, encourage your InfoSec team — this is not a sprint but a marathon, and it takes time to persevere and get through the challenges along the way.
Step 5: Act swiftly when things go off course.
Think of SaltStack, Microsoft Exchange, Solar Winds. These high-profile breaches and others like them occurred after initial efforts did not work. This is exactly why having an incident response team and plan must be in your toolkit, as things will inevitably happen, and sometimes they happen despite your best efforts.
Be ready to isolate the problem, whether people or systems, in order to keep your business running. Consider if there are legal and/or compliance implications internally or for your customers. Regardless, ensure all customers stay informed and that you maintain transparency.
Investigate the root cause of any incident, deploy tools to eradicate the issue, evaluate any training gaps, and work with your sponsors to continuously build awareness.
[Related Reading: Create a Comprehensive Automated Incident Response Plan Before You Need It]
Like a Thriving Company Culture, Cybersecurity Should be Part of the Corporate DNA
It takes time to effectively build and perpetuate a supportive and inclusive company culture, and ultimately, the ultimate success is to then have that culture ingrained as a part of the corporate DNA.
Cybersecurity is much the same, even though many may not perceive it as such. Security strategy should not live and die with your InfoSec and IT teams — everyone within the company must be educated on security policies and procedures, and they should all further existing sponsorship by continuously educating themselves and new hires.
Companies that have successfully imbedded cybersecurity into the organization’s mindset, where processes, people, and technology all support the same goal, are those who have seen the highest and most consistent level of success.
Partnering with a Cybersecurity Provider
If you’re looking to partner with a Managed Detection and Response (MDR) provider, you want that strategy and partner to be as equally ingrained into your organization’s DNA — of course in regard to any security strategies/programs, but also with the cultural DNA of the company.
Such a partnership is a joint responsibility between your technologies and the selected service provider — it’s not 100% delegated. Getting everyone on the same page with both cybersecurity and culture can take time, but awareness can happen immediately.
The 5 steps listed above are also useful for bringing on a security partner and can help you ensure immediate wins by best integrating and educating them on current company programs.