I recently discovered a fascinating C-suite report that used an apt metaphor to capture why culture is so challenging for businesses: Organizational culture is like an iceberg. That was Deloitte’s take, and it resonates with me. The relatively small portion you see above the waves represents isolated, highly visible problems—like the employee who opens the door to an attacker by clicking on a link in a phishing email. But the bulk of the culture iceberg is submerged: the shared, but often hidden, beliefs and assumptions that ultimately allow those major security problems to occur.
That’s why creating a healthy cybersecurity culture is such a high priority—and also such a significant challenge. Employees are on the front line of a company’s cyber defense, and their involvement is critical not only in preventing compromise but also in helping the organization respond quickly to the few inevitably successful attacks. For this reason, I consider a security-aware workforce to be one of the three essential elements of a cyber-resilient organization, along with mature cybersecurity capabilities and security-focused technology operations.
The challenge is that building a cyber-resilient organization involves instilling a security-aware culture that involves all employees—including executives, managers and line workers, as well as IT and security experts. And changing the beliefs and assumptions of an entire workforce is not easy.
Yet meeting that challenge can deliver business benefits that extend far beyond a reduction in cyber-incidents, according to a landmark CMMI and ISACA study of the cybersecurity culture at more than 4,800 organizations worldwide. Yes, two thirds of organizations that successfully implemented a cybersecurity culture with substantial employee buy-in said they reduced cyber incidents as a result. That’s a huge benefit in itself.
But more than half of those companies also built strong customer trust and improved their brand reputation, and a substantial number increased profitability and speed to market. In fact, 87 percent of all surveyed organizations believe that strengthening their cybersecurity culture would increase profitability or viability. The financial implications are perhaps not so not surprising, since other studies have found that more than half of corporate data breaches result in significant costs, sometimes including lost revenue, not to mention the long-term impact of a tarnished reputation.
Editor’s note: Click here to read the rest of this blog post. For information on the CMMI Cybermaturity Platform, visit the CMMI website.