Last month, the CompTIA Cybersecurity Advisory Board released the executive brief “Building a Culture of Cybersecurity,” a white paper highlighting cybersecurity threats, issues, and considerations inherent in today’s digital environment. The work is aimed ostensibly at the sensibilities of corporate boards and executives working at large enterprises. But because we believe digital technologies enable small firms to operate at a scope and scale like big corporations, we see many of the paper’s tenets as foundational elements for cybersecure culture at small to mid-size businesses (SMBs), too.
For starters, we strongly agree with the Advisory Board’s opening premise:
“For many organizations, there needs to be an important shift in mindset: Security can no longer be thought of as a technical problem with a technical solution; it must be treated as a critical business concern.”
So, we’re launching a series of posts translating the brief’s “six guiding principles that will enable senior leaders to assess and improve their organization’s approach to cybersecurity” into Building Blocks of Cybersecure Culture for SMBs.
Part 1 -- Integrate Cybersecurity into Your Business Strategy
First, let’s establish the meaning of the term “cybersecure culture.”
As defined in the past, the cybersecure culture concept is grounded in the reality that any company of any shape or size in any industry could be at risk from multiple threat factors at any given time, as digital business transcends physical borders and functions 24 hours a day. Hence, all technology users, from entry-level personnel to C-suite leaders, share responsibility for safeguarding an organization’s digital assets, such as confidential data and brand reputation.
Fighting cyber threats is a “whole company issue,” wrote Wade Baker, associate professor of integrated security at Virginia Tech’s Business Information Technology program, for a special report for the SmartBrief on Security newsletter. The reason, per Baker? Because everybody involved in the organization, including its partners and contractors, is a target.
That’s why SMB executives should quantify cybersecurity efforts across their business and lead the way, advancing innovative approaches to cybersecurity costs—and returns. How? We translated three points from the CompTIA piece to an SMB perspective:
- Consider Cybersecurity as an ROI Proposition – Assess cybersecurity in the context of your company’s strategic plan, in which risks are balanced alongside growth opportunities. Two keys to keep in mind: Many basic cybersecurity tests cost very little to execute but can provide valuable returns; and, when given limited resources, focus first on protecting against the most serious or more likely threats.
- Identify Your “Crown Jewels” – Establish organizational consensus around data that truly is mission-critical to your business, information assets that generate a competitive edge. Your primary focus must be protecting these digital gems, because they will catch the eyes of cybercrooks.
- Put New Mindsets before New Technologies – As we’ve advocated in past posts, The NIST framework can help executives consider cybersecurity in terms of business goals, rather than just as technological specifications. NIST offers a nine-page outline to help technology leaders create a step-by-step path to more robust cybersecurity.