Following our article on Breach Readiness, we'd like to further highlight that the ability to identify, manage and respond to an incident is the ultimate goal of information security. Today, it is not a matter of “if we get breached” but rather “when we get breached”. But building the necessary resilience relies on more than just great technology. The success of any information security management system (ISMS) depends on effective collaboration between people, processes and technology .
While formalising policies and implementing technology may be a relatively simple enough task for management, process owners and IT specialists collaboratively, getting the people within an organisation to recognise the importance and thereby adhere to cybersecurity frameworks and protocols has proven to be a much more challenging feat.
If an organisation does not operate within a cyber-safe culture, it is likely that their ISMS framework and response to security incidents will be heavily lacking and more complicated to uplift.
How can you get employees to acknowledge and act on cybersecurity?
Executive Management’s commitment is key to getting people on board to use these resources in line with company protocol. As leaders within the company, these individuals are able to both enforce the importance of cybersecurity and lead by example. Executives should set the directive for business and information security strategy and empower the people to drive and execute frameworks, policies, standards and operational procedures. They should be setting the tone for active and full participation, as well as providing oversight of the implementation process.
Why is Management’s Commitment so important?
As we discussed in a previous blog post, creating a cybersecurity culture is key to getting a greater return on technological resources and strengthening the weakest security link – people. According to IBM’s Cost of a Data Breach report 2020, board involvement was in the top ten mitigating cost factors of a breach – saving businesses around $280k AUD this period. Employee participation in security awareness training was also key to mitigating damages – saving businesses approximately $330k AUD. These figures clearly demonstrate how company-wide acceptance and involvement can enhance response capabilities and minimise losses.
Further, the perception that cybersecurity is only the responsibility of the IT department is myopic and can be damaging to the overall effectiveness of a company’s information security (IS) strategy. Executive figures should emphasise that cybersecurity is everyone’s responsibility by highlighting security for what it is – a structure that facilitates an organisation’s business vision and mission, a means of ensuring business continuity and ultimately, a positive investment.
When a cybersecurity plan is championed in this way from its origins it is less likely to be met with resistance and therefore more successful in the long run. When management figures endeavour to take ownership of the organisation’s ISMS framework, they can ensure that the following elements are well-received:
- The protection of the organisation’s key assets;
- The protection of these assets with a risk-based approach; and
- A paradigm shift in security awareness culture.
Executives have the authority to portray cybersecurity not only as a present and ongoing issue, but as a tool imperative to daily operations as everyone works towards a common business objective. Embedding information security in everyone’s daily activities – whether by setting the tone from the top, setting clear expectations for the IS plan or encouraging participation in security awareness training – will help others internalise this security mindset and make the plan more sustainable.
Executive support can lead to enhanced security resources.
Getting management buy-in is so beneficial because it not only assists in creating cybersecurity culture, it also assists in funding support and defence resourcing. When the C-suite understands that security is an organisational issue and further, sees a positive return from a redefined security posture, they are more likely to take ownership and provide more financial support towards further strategic investments.
C-suite individuals often fall victim to cybercriminals themselves.
Security breaches are not selective in nature. It does not matter at which level you sit in the organisation, a security breach will happen when an opportunity presents itself at the weakest link. It could well happen at the operational level or at the top of the chain. It is therefore essential that management commit to cybersecurity best practices for the security of their personal executive accounts, as these are some of the prime avenues for criminals to gain access to corporate information and wreak havoc.
Education and communication from management is key.
Cooperation between security professionals and company executives can improve an organisation’s response to breaches and other in IS incidents. This collaboration can shift a company’s collective mindset and in turn boost their security posture.
For more information on ISMS governance, please contact our cybersecurity professionals by clicking below: