The idea that cybersecurity should exclusively be the domain of a single department is highly outdated. We live in an era of hyperconnectivity, where anyone can access sensitive information from anywhere. The protection of corporate systems and data cannot be a one-team (or, as is the case in some organizations, one-person) responsibility.
While your information security team can and should act as the guardian of your network, you need to bring other departments onboard as well. Each has its own skin in the game where security is concerned. And if you make decisions about cybersecurity without consulting them, you may paradoxically create an even greater risk.
The challenges of cybersecurity today
According to a recent survey from industrialized services and automation firm NetEnrich, 20 to 40 percent of technology funding is now spent outside the purview of the IT department. It follows that it’s also spent without consulting IS. You can see why that’s a problem: even if they have the business’s best interests at heart, most people don’t understand what goes into making a system secure.
Moreover, it’s long been common knowledge that people seek convenience. If a system is cumbersome or frustrating to use, or if users feel it directly interferes with their workflow, they will simply use something else, even if it endangers sensitive assets. Where security is concerned, some level of inconvenience is to be expected, of course —and that’s why it’s so important for you to talk to your colleagues.
We are not living in the 90s or early 2000s, where cybersecurity could be taken care of solely by the IT department. Malware detection, network monitoring and strong firewalls are still necessities, of course. But these tools alone are no longer enough.
Thanks to the advent of cloud computing, mobile technology and the Internet of Things (IoT), the enterprise cybersecurity landscape has become both overwhelmingly expansive and incredibly complex. Factor in a sharp upturn in user enablement and a booming cybercrime industry, and it becomes clear that businesses must rethink their approach. A dedicated information security team is a good start, but it’s only the first step.
Enabling a culture of cybersecurity
What businesses need is to enable a culture of cybersecurity and accountability. This is something that cannot be realized without executive buy-in. Yet amazingly, the idea that they have a stake in securing corporate assets somehow remains an issue for the C-suite.
Consider the results of a 2018 survey on cyber-resilience by Professional Services firm Accenture. In that survey, 73 percent of 1,400 C-suite executives agreed that cybersecurity activities and staff should be distributed across departments. Curiously, even in light of this, cybersecurity remains largely centralized in 74 percent of organizations.
Only one in four organizations admitted to sharing responsibility for cybersecurity amongst the leadership.
The first step in changing this is simple. Security professionals — yourself included — need to talk about it and do so in layman’s terms. If you speak at length about risks, threats and technical details, people will tune out. They’ll fall back into the old line of thinking that this is your responsibility because they only understand about half of what you’re telling them.
Instead, what you need to do is look at things from their perspective.
First, discuss how a new innovation or initiative might influence existing security processes, and how those changes might impact workflows.
Next, evaluate the steps your business might take to improve its security posture and create a roadmap to that effect. Discuss your cybersecurity budget — where you’re spending your money, where you should be spending your money and why you should be spending it there.
Further, it’s important to ensure that each member of the C-suite regularly discusses matters with their subordinates. Your part in this is simple — endeavor to understand the pain points of each business unit and take proactive measures to address them. To ensure that everyone is in alignment, see to it that your feedback and input are incorporated into these meetings and that you incorporate the feedback of other departments into your own security efforts.
With these lines of communication established, you can start taking the necessary steps for a more focused, business-wide approach to cybersecurity, including:
- Establishing clear cybersecurity policies around access control, collaboration and acceptable use
- Shifting your business’s risk mindset to focus on people rather than systems. Technical controls are still important, but even the most impregnable fortress falls if it’s staffed by people who don’t know how its defenses work
- Implementing programs that educate employees on and rewarding them for compliance with these programs
- Encouraging your C-suite to focus more on cybersecurity issues within the wider industry
- Incorporating a process for regularly reviewing and evaluating your security posture
The days when cybersecurity was the sole domain of IT or IS are far behind us. Protecting your business against digital threats is now everyone’s responsibility. Your executives have their part to play in that, the same as everyone else. Without them to lead the charge, your other efforts will be in vain.