How to Get Culturally Strategic About Cybersecurity

With 25 percent of companies saying that they need to significantly improve cybersecurity and 60 percent more reporting they need to do “moderate” work on current infrastructure, this according to CompTIA’s 2018 Trends in Cybersecurity report, more CEOs than ever are looking for ways to evolve corporate culture to meet the demands of the digital workplace. As the threats from phishing and malware become ever more complex, more multi-faceted approaches are needed to protect and secure data.

According to Kim del Fierro, vice president of Area 1 Security in Redwood City, California, there are a few key selling points for incorporating cybersecurity strategies, like being able to protect data and reputation, the two most at-stake risks of any breach.

For the most part, the best security plans being implemented right now tend to coincide with cultural changes within companies themselves like educating employees across the board on the risks and making cybersecurity a priority for everyone on staff, not just IT. In fact, there are many advantages both internally and externally in establishing new and improved security protocol across the board.

“Implementing performance-based cybersecurity strategies has a very low [total cost of ownership],” said del Fierro, “because companies can now pay for technology that delivers on their promise. Enterprises that have strong and thorough technology controls in front of cybersecurity education make for a healthy cybersecurity culture.”

Investing in cybersecurity can also mean the difference between protecting data and being profitable – things CEOs like a lot – or risking assets and reputation – things CEOs want to avoid at all costs. You can’t put a price tag on the impact a breach can have on brand trust.

As such, managers are finding new ways to encourage all employees to be invested in this important issue. “Employers should make learning about cyber-threats fun by energizing employees through incentives or performance-based cybersecurity programs,” advised del Fierro. “Encourage employees to report deficiencies through an internal bug bounty-like program.”

Some organizations are also instituting ongoing cybersecurity training that educates employees about what to watch out for, how to avoid problems and when to report an issue from the ground up. Often the size of a company can dictate how much effort and investment is put into cybersecurity, even though all companies are at risk. In fact, some of the biggest breaches of the past few years – remember Target? – affected smaller companies that interface with larger corporations.

According to CompTIA’s 2018 Trends in Cybersecurity report, “Businesses with fewer than 100 employees are far more likely than their larger counterparts to feel that their IT security is simply adequate or unsatisfactory. Without a deep resource pool to lean on, smaller firms struggle to address new facets of IT security.”

There are also challenges to making cybersecurity a priority. “For companies without much focus on IT security,” the report says, “it may be difficult to generate the momentum needed to build a functional team.”

There’s the added fear that throwing money at the problem may not work, and that’s partly true. The most successful plans tend to combine smart investing and the most up-to-date certifications for those charged with managing company-wide cybersecurity efforts. In a nutshell: The person or team responsible for cybersecurity must be well trained and educated about the latest scamming methods.

“Most enterprises have spent millions of dollars on cybersecurity solutions that don’t stop breaches and often feel they’ve done everything they can,” admitted del Fierro. “What they’re failing to procure is a performance-based solution that stops phishing attacks, the root cause of breaches.”

Here are three cybersecurity company culture enhancements that work:

Hire a full-time security expert or team.

Having someone or a team on staff that can report to the administration about cybersecurity can bridge the gap between what action is taken behind the scenes and how these efforts are ultimately invested in and absorbed within the broader company culture. The upside to this is that a person or team is onsite and actually contributes to the company culture in visible ways. The challenge is staying on top of the latest threats, technology and certifications within the industry, which can be costly.

Outsource cybersecurity to a third party.

Small companies may want to consider outsourcing cybersecurity to agencies that are designed to work from the outside in. An advantage to this is that IT professionals who work within the tech industry are well versed in the latest technology and certifications, and a company will not need to invest in ongoing training of in-house IT experts. The downside is that outsourced cybersecurity efforts tend to be more invisible to other employees.

Establish cybersecurity metrics.

This may be one of the most important measures of determining success, but it’s often the least used. In fact, only one in five companies actually use metrics to measure their approach to cybersecurity; even though metrics are proven to reduce cybersecurity incidents drastically.

Overall, del Fierro says that all companies, regardless of size, need to take a proactive approach to cybersecurity. “Making their cybersecurity culture stronger is not a daunting task,” she said. “It’s as simple as implementing an anti-phishing service on top of what they already have. They’ll be more secure and would rely less on employees to act as members of their security team.”

She said that enterprises have actually gotten a lot smarter in recent years, especially as cybercrimes make international news headlines. “We see them investing in their technology stack and layering in an anti-phishing service to their existing stack. By adding an additional layer of security that’s performance-based, they only pay for malicious detections caught.”

At Area 1, customers are now seeing ROI in 15 minutes. The goal, added del Fierro, “is to have comprehensive protection across email, Web and network traffic that closes the phishing gaps in their current infrastructure.”