Building a Cyber-Resilient Culture: A Webinar Recap
We recently had the opportunity to team up with CyberCX for our webinar, “Building a Cyber-Resilient Culture.” During the webinar, our President and Founder, Joseph Kirkpatrick, and the US Director of Digital Forensics, Chris Pogue discussed how company culture can lead to cyber resilience.
If you weren’t able to attend the webinar but would like to hear Joseph and Chris’s entire conversation, you can listen to the full recording here.
What is Cyber Resilience?
Cybersecurity is unlike any other industry. It has been around for 25+ years at this point, and cybersecurity strategy still can’t be considered completely “successful.” Research shows that there’s a cybersecurity incident every 39 seconds. Threats are becoming more expensive and frequent every year, and it can be hard to stay afloat.
Even though it can feel overwhelming to stay ahead of the threats, the ultimate goal is cyber resilience. Cyber resilience doesn’t mean that an organization is immune from vulnerabilities or threats, but it does mean that the organization knows how to remain as secure as possible, including having a company-wide plan for when something goes wrong.
Technology can help when building cyber resilience, but culture is the missing piece for many organizations that are trying to increase their resilience against threats and vulnerabilities.
Security should be a company-wide initiative that affects every person at every level in an organization. We aren’t ever going to perfectly keep the bad guys out, but when an entire company is committed to an organization’s security, everyone can be an enabler of cyber resilience.
However, if you want your whole organization to care about cyber resilience, they need to know exactly what they are striving for.
What’s the difference between cybersecurity and cyber resilience?
Cybersecurity involves all of the different steps an organization takes to protect their data and remain secure. Cybersecurity includes ideas like confidentiality, availability, and integrity and is maintained by the controls an organization has in place to protect their environment. Risk and vulnerability management are also a part of cybersecurity.
Cybersecurity is something that you’re constantly pursuing; it isn’t something that can be reached, but an organization can become cyber resilient.
By only focusing on security, organizations are stuck in a state of reactivity, but if they shift to thinking about becoming an organization that is cyber resilient, they can stop reacting and feel more prepared to face today’s threats confidently.
Joseph suggested referring to the NIST cybersecurity framework implementation tiers to gain a better understanding of how cyber resilience fits in with cybersecurity. These tiers help indicate how well an organization is implementing the framework—the higher the tier, the better the implementation. The fourth and highest tier is “Adaptive.” Within this tier, organizations have fully adopted the NIST cybersecurity framework and are remaining proactive against threats and vulnerabilities.
An adaptive organization makes for a cyber-resilient one. This looks like management constantly taking input from the risk that’s being faced. Management should be participating in cybersecurity practices and encouraging their peers to do the same. A cyber-resilient organization not only receives information of how to maintain a strong security posture but also shares their own cybersecurity knowledge with others. This is what truly drives cybersecurity.
What does company culture have to do with cyber resilience?
When looking to improve their cybersecurity posture, organizations may not think to take a look at their company culture, but Chris made the point it’s the missing link to becoming cyber resilient. He quoted Peter Drucker in saying, “Culture eats strategy for breakfast.” This is a pretty common idea in the corporate world, that culture makes a big difference in many aspects of an organization, but we haven’t properly applied this way of thinking to our cybersecurity programs. Culture can make a big difference in an organization’s security posture, but for that to happen, we need to start viewing security as an enabler to business objectives and make security more accessible to the entire organization.
Often times, security and business objectives don’t align, however, this doesn’t make a lot of sense logistically since security exists to enable an organization to conduct business. We aren’t performing security for the sake of performing security; we are performing security functions to protect the business. Once we change the language of why we have certain security objectives from highly technical cybersecurity language to more accessible language, like “Here’s how this security initiative supports this business goal,” we can more easily align business and security goals.
Aligning initiatives is a great way to begin your journey to cyber resilience, but another essential step is to realize that every member of your organization is on the security team. An organization’s weakest link when it comes to security is its people, but by helping members of the organization understand how important they are in maintaining a secure environment, you can reduce the risk your people pose to your security. A few ways to help members of your organization understand their role in your security program are:
- Connect security to your organization’s overall mission statement
People love to rally around a mission that they believe in. Executives spend a lot of time and effort creating mission statements to drive an organization. Work with your security team to figure out how security helps support that mission and communicate that throughout the business.
- Teach a shared cybersecurity language that everyone can understand
Give members of your organization a way to understand their role in keeping the organization secure. NIST cybersecurity framework language like identify, protect, detect, respond, and recover can be a great place to start.
- Create an environment where people can speak up
It’s not always easy for members of an organization to speak up when they think something isn’t right. If the executives in an organization don’t take the time to listen to their employees, the employees won’t feel like they are able to raise concerns if they notice that something is happening that could put the business at risk. However, if executives take the time to properly train their employees on security best practices and provide the space for them to speak up, cyber resilience is within reach.
What kind of mindset is best for an organization trying to become cyber resilient?
You need to want to learn. No one knows it all, so you have to be willing to ask questions and learn from those with more experience than you. When you’re thinking about mastering subject matter, you have to learn the basics first—this is true for anything. This could look like providing security training for all members of your organization, making sure all departments know their role when it comes to security, and allowing the space for your security team to loop everyone in on security policies and procedures.
What’s been missing?
The main reason organizations haven’t been prioritizing a security culture is a lack of governance. Whether it’s the board’s responsibility or executive management’s, those groups need to be acknowledging and embracing ownership in establishing a culture of security and becoming cyber resilient.
When a company-wide security initiative is established, all members of the organization should feel involved and confident in their personal role. While it may not seem obvious, all departments play an important role in upholding an organization’s security. Think about the sensitive data people from development, operations, human resources, and marketing have access to. Don’t you want them to know how to keep that information secure?
Joseph shared a story about someone he worked with in the HR department of one of KirkpatrickPrice’s clients. This individual was tasked with writing policies for her organization to help keep their data safe. She slowly learned more and more about security and compliance, and eventually, she had the responsibility of identifying and checking up on potential security threats. Because her organizational leaders involved her in their security program, she grew in confidence and authority and became an important asset to the organization’s security program.
You have more people in your organization that can help you reach cyber resilience than you may think. Make sure to take the time to educate and empower the entire community on cybersecurity and your specific security goals.
How can you change things?
Don’t be afraid to invest in cybersecurity. Chris brought up the helpful point that he’s never seen an organization under-invest in cybersecurity and be thankful for it in the long run. The average cost of a data breach globally is around $4.5 million and around $9 million in the US. Can you afford a breach? Many organizations can’t, and that’s why investing in cybersecurity upfront is the best thing you can do to start working towards cyber resilience.
Invest money in training for all members of the company. We have to train like we fight because, in the end, we will fight like we train. If you’re not prepared for a security incident, you won’t suddenly rise to the occasion and contain the threat quickly and efficiently if that’s not what you’ve been practicing.
Security has to be a top-down initiative, starting with the CISO, C-level execs, and the security team. Find ways to make security engaging so everyone will feel called to participate. This will lead your organization into cyber resilience.
What does a cyber-resilient organization look like?
To end the webinar Joseph went over a few identifiers of a cyber-resilient organization.
A cyber-resilient organization:
- Is one that when faced with incidents and attacks, they know how to navigate them and learn from them
- Is ready to protect themselves if an attack should occur
- Aligns objectives with risk and the need for IT, security, and compliance
- Realizes that security is just as important as everything else in the organization
- Will survive and thrive in the face of ever-present security threats
The members of the organization:
- Know how to communicate about new and existing cybersecurity threats, frameworks, and customer requests
- Have developed a common language where all members of the organization can understand what’s happening
- Should be talking about cybersecurity in board meetings, management meetings, department meetings, and anywhere else throughout the company
Become Cyber-Resilient with KirkpatrickPrice
We know that it can feel overwhelming to try to reach cyber resilience on your own. Sometimes it’s hard to even know where to start. That’s why our security experts are dedicated to providing the best security and compliance services to our clients. At KirkpatrickPrice, we don’t just want to check off some boxes saying that you’re doing everything you’re supposed to be doing to remain compliant. We want to partner with you on your entire compliance journey and help you become the cyber-resilient organization we know you can be. If you have questions about what you can do to make your organization cyber resilient, connect with a KirkpatrickPrice expert today.
For more information about CyberCX and how they can help your organization, contact them here.