When the CompTIA Cybersecurity Advisory Board published an executive brief “ Building a Culture of Cybersecurity,” we seized upon the opportunity to launch a series of posts interpreting the brief’s “six guiding principles that will enable senior leaders to assess and improve their organization’s approach to cybersecurity” as Building Blocks of Cybersecure Culture for SMBs.
Our first installment defined the term “cybersecure culture” and stressed three pieces of advice from the CompTIA white paper:
- Consider Cybersecurity as an ROI Proposition
- Identify Your “Crown Jewels”
- Put New Mindsets before New Technologies
To learn more about these points, read our post “ Integrate Cybersecurity into Your Business Strategy.”
In this installment, we elaborate on the Advisory Board’s admonition that “If you do not explicitly build cybersecurity into your organization, you communicate that you are not truly committed to the goal.”
Part 2 – Your Organization’s Structure Should Reinforce a Cybersecure Culture
Cybersecure culture is more than an assignment given to your internal IT team and/or IT Managed Services Provider ( MSP). True cybersecure culture is built into the company’s org chart, reporting protocols and other policies and processes designed to enable you to manage your business.
Here are five guidelines for constructing this type of structure:
- Teamwork is Tops – Appoint one member of your leadership team to specialize in and report on cybersecurity issues. Still, every member of your senior executive team should remain involved in and informed about cybersecurity issues. Having someone that’s technology savvy to help translate pressing IT issues into business terms is critical when shaping this team. But avoid relegating cybersecurity to your “IT guy” alone or outsourcing the responsibility in full to your MSP – and then disconnecting. ( Collaboration is critical when working with MSPs.) Leadership as a whole must stay engaged to sustain cybersecure culture.
- Establish a Formal “Chain of Command” – In a past post, we compared vigilant cybersecurity to conducting a war. “Lives may not be at risk, but livelihoods are,” we wrote, referring to the excessive cost of data breaches. So, why not learn from the way great generals win battles? Strict adherence to a chain of command. No, boot camps and courts martial aren’t what we mean. But a clear delineation of authority is. Map accountability for cybersecurity from leadership to the front line, specifying responsibilities for coping with cyber threats, such as identifying and avoiding ransomware.
- Recognize & Reward Cybersecure Habits – Do we mean give employees bonuses for not falling for phishing emails? No. But we strongly recommend praising members of your organization who take initiative and pride in mitigating cyber risks. For example, who has a great approach to managing passwords? Perhaps that staffer could lead a lunch-and-learn session for others with the company paying the tab.
In short, your entire organization should understand, acknowledge and embrace a collective mission: Making your company cybersecure.