With a growing number of threat sources and successful cybersecurity attacks, organizations find themselves in a tricky spot if they wish to survive cyberspace. Oftentimes, the adversaries are not the challenge; the obstacle is the organization’s culture. Just like culture influences who we are as a people, culture influences the cybersecurity tone of an organization. Every organization has its own unique fit and feel. Unfortunately, the fit and feel of an organization's culture is not always positive.
With the understanding that cybersecurity is still a relatively new concept to many, people and organizations often fail to see cybersecurity as an enabler of business objectives. Instead, cybersecurity is often thought of as a roadblock, prohibiting the organization from reaching its goals. This negative perception of cybersecurity results in business units avoiding cybersecurity or finding ways to circumvent it. With that said, aligning security with risk management frequently leads to higher acceptance amongst the organization.
The Perception of Cybersecurity
Many organizations place a greater emphasis on technology, leaving the human aspects of cybersecurity to be overlooked. Therefore, its crucial to place a stronger focus on culture. Establishing a cybersecurity culture can influence risk-based decisions and create the perception that security is a benefit to the business rather than an obstacle. Although organizations work diligently to improve cybersecurity awareness, network defense and threat detection, the greatest protection may originate from an effective risk-based cybersecurity culture.
Each member of the organization contributes to the cybersecurity culture in some way. The concept of cybersecurity culture is based on knowledge, perceptions, views and how they manifest themselves in human behavior with technology. Ultimately, the purpose of a cybersecurity culture is to create an optimized social and psychological framework to support cybersecurity initiatives that are aligned to the strategic mission and business objectives.
Cybersecurity and Risk Management
It should be noted that forming a cybersecurity culture alone does not fix the people problem in an organization. For the cybersecurity culture to be effective, the culture should have a strong focus on risk management. Risk management should drive all security initiatives within the organization. The alignment between cybersecurity and risk management supports the identification of the adverse impact of operational dynamics and difficulties in both communicating a clear understanding to stakeholders as well as assessing the potential damages to the organization.
Cybersecurity should be included in the organization’s enterprise risk management (ERM) program. ERM allows leaders and boards to frame the organization's risk appetites and positions. Attributes of highly regarded organizations include an influential culture that supports and optimizes strategic objectives and the use of policies and procedures to facilitate decision management for internal and external risks. Through the establishment of a common language for risk and repetition across various communication channels, a risk-aware cybersecurity culture can be developed.
Establishing a Risk-Based Approach
Many organizations are not risk-driven. A number of organizations have succumbed to a "check-the-box compliance” mindset in which security initiatives are focused on passing audits instead of achieving proportional levels of security. Check-box security can lead to adverse impacts on the organization. Purely compliance-based approaches to cybersecurity are no longer adequate. Risk-based approaches to cybersecurity are better suited to address the dynamic threat landscape. Cyber threats are not static, so the approach to address them should not be, either.
Compliance and regulatory requirements are often slow to react to the ever-evolving threat environment. A risk-based approach allows organizations to change their perspective to address emerging risks as they are identified. Essentially, risk-based approaches provide a faster rate of response for risks. However, a risk-based approach is not ideal for organizations that are immature or do not have the capability to implement it. Organizations must identify their capabilities and maturity levels as well as identify gaps in their culture.
A Hybrid Theory
Risk and compliance can support each other. Compliance-based security provides some advantages. Compliance-based security provides the ability for a cybersecurity professional to measure security controls objectively. It is more difficult for an assessor to ensure that adequate security controls are implemented in a risk-based environment.
When framing the risks, one needs to understand that it is challenging to conduct an objective risk assessment, as people are influenced by their own skills, knowledge, experiences and perceptions. An underlying compliance structure should exist to ensure that the minimum-security requirements can be implemented and audited. However, when the cost of a security compliance initiative outweighs the potential impact to the organization, the risk should be accepted.
Compliance and risk management are essential, and merging both functions will benefit the organization. Compliance-based security is the starting point for security; it helps to ensure that organizations adhere to the minimum set of requirements. Compliance should not be mistaken as the objective of cybersecurity. The use of risk management considerations can build on compliance-based security and optimize the organization's security posture better than a compliance-based approach alone.
Cybersecurity is a growing challenge for many organizations. Each unique organization has its own cybersecurity objectives, constraints and other considerations. Organizations must realize that cybersecurity culture can ultimately make or break the organization. The influence that employees have on the state of cybersecurity in an organization is often a reflection of senior management. Considering the relationship between risk management and cybersecurity, senior management must decide whether to form a risk-based cybersecurity culture before establishing technology and processes. As organizations progress through cyberspace, risk-based decisions and senior management support is required to achieve cyber resiliency and promote the achievement of organizational strategic objectives.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.