While the vast majority of security professionals believe a stronger cybersecurity culture would improve their business, nearly all companies—95%—have a gap between their desired culture and reality, according to new research.
The 2018 Cybersecurity Culture Study, conducted by ISACA (formerly the Information Systems Audit and Control Association), found that 88% of companies believe they can transform their cybersecurity culture for the better. The organizations with the most mature cybersecurity processes were those that invested in their employees, said Rob Clyde, chair of ISACA's board.
"Those companies that felt more mature in cybersecurity were investing more in their people—literally. It was over twice as much on a percentage basis, so it was not even close."
—Rob Clyde
The study found that efforts focused on employees are the fundamental component of creating a cybersecurity culture that will serve to improve business and reduce risk. Nearly 70% of the study’s 4,815 respondents, for example, believe that clearly communicated policies strengthened security culture. Sixty percent believed that employees following those policies also strengthened security culture.
Employees who recognize that they serve a role in identifying and preventing security threats, and who participate in regular security training, are the most engaged in helping their company tackle cybersecurity risks. Such efforts result in companies with mature security cultures that have better visibility into risks and fewer cybersecurity incidents. They are also able to get back to business faster following an incident.
Here are four efforts that security experts say will improve cybersecurity culture and help your business head off threats.
1. Security training requires employee feedback
The top priority of a company’s efforts to improve cybersecurity culture focus on training employees. Eighty percent of companies plan to improve their cybersecurity culture through employee training, while 79% of respondents plan to better communicate behavioral policies.
But a key component of making such training and communication work is turning these interactions into a dialog. Companies with successful security cultures discuss security issues with employees and, just as important, take into account their feedback, according to the study.
About 80% of companies with a very successful security culture have assessed employees' views about the business's cybersecurity culture, compared to only 47% overall.
2. Bring lessons home with exercises
Most employees have no context to evaluate cybersecurity risks and threats. Incident response exercises can help employees gain experience. More than half—57%—of companies conducted hands-on training with employees to improve cybersecurity culture, according to the study.
Doug Dooley, chief operating officer of application security firm DataTheorem, says: "Security is a weak-link sport, not a strong-link sport."
"Because security is asymmetric warfare, you have to be focused, and you have to find a way to bring security to the individual."
—Doug Dooley
3. Lead from the top
Companies that fail to create a cybersecurity culture are often not getting leadership from the top. One in three respondents to the survey cited executive support as the major stumbling block.
Management needs to walk the talk, ISACA's Clyde said. "They need to take ownership of their own cybersecurity."
"I've seen a lot of incidents where the management says that cybersecurity is important, but then they turn around and ask for exceptions—and that is the death knell of any cybersecurity program."
—Rob Clyde
4. Incorporate more automation
Finally, companies should support employees and look for places where security, or automation, can be incorporated into software development and daily processes. When automation makes employees' jobs easier—while incorporating cybersecurity into their daily workflow—it can significantly improve a company's cybersecurity posture, said DataTheorem's Dooley.
"Automation is powerful. The automation helps speed their work, and it almost becomes addictive."
—Doug Dooley
While improving cybersecurity culture helps set the foundation to reduce a business's future risk, success is not just about culture, ISACA's Clyde said. Tools are necessary as well to support employees, and companies should focus there as well.
"All the training in the world will not prevent a company from having a person click on an email. We are going to get diminishing returns to training people, and, for those reasons, putting in additional tools also has to be part of the equation."
—Rob Clyde
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
