Security is everyone’s responsibility. And although instilling a security culture in an organization is not always easy, it is essential.
Reputation protection, resilience, quick recovery, data protection, and adaptation to sophisticated attacks are key points in creating an effective cybersecurity culture in an organization. In fact, in the “State of Cybersecurity in 2023” ISACA webinar, Jon Brandt, ISACA’s Director of Professional Practices and Innovation, said, “Looking at the concerns related to a cybersecurity attack, the first and foremost is an organization’s reputation and then the intellectual property.” Chris Parkerson, senior manager at Adobe, added, “Our focus is how resilient we are. Should one bad incident happen, how quickly can we get back online, how can we limit any exfiltration of data and how can we make sure to be resilient against these sophisticated attacks?”1
To foster a culture of security and gain employee buy-in, it is important to focus on promoting security awareness and assessing the effectiveness of existing security measures. The chief information security officer (CISO) or another security champion must lead, provide resources, and offer support to establish a security culture in the organization. By implementing strategies that educate and engage employees in cybersecurity best practices, organizations can cultivate cultures where security becomes a shared responsibility. How well CISOs understand the organization’s goals and align security initiatives accordingly can help them identify the prevailing ineffective security measures and wasted resources.
However, focusing solely on security without considering its impact on operational efficiency or customer experience can lead to potential drawbacks and limitations, such as impeding growth and collaboration between security teams and other departments. In addition, insufficient support from top management poses challenges in allocating resources and implementing necessary changes effectively. These variables mean that every organization has a unique security landscape, and CISOs must continuously assess their organizations’ specific challenges. They should adapt strategies accordingly to protect valuable assets and maintain strong security postures. CISOs must apply lessons learned from cyberincidents, ransomware attacks, and threats to enhance their organizations’ cybersecurity defenses.
Communication and Collaboration
The CISO should take proactive steps to enhance communication and collaboration within their organization. This involves prioritizing effective engagement with stakeholders including project managers, executives, IT teams, employees, and external partners.
To emphasize the importance of this, consider the healthcare industry, which is particularly vulnerable to data breaches due to a lack of communication between IT and clinical staff.2 The importance of communication and collaboration in cybersecurity is highlighted by the fact that 60% of all cyberattacks are caused by insiders.3 In 2017, the WannaCry ransomware attack affected organizations worldwide, and the UK National Health Service was particularly affected due to a lack of communication and collaboration between different departments.4 Only effective communication channels between an organization’s security team and other departments can lead to quicker detection of breaches. When different teams share information and concerns, they can act swiftly when unusual activities are spotted, whether by the security team or third parties.
Awareness training educates employees about security best practices, minimizes human errors, and creates a security-conscious culture in the organization.The IBM and Ponemon Institute’s Cost of a Data Breach Report 2023 studied 553 organizations impacted by data breaches that occurred between March 2022 and March 2023. It notes that the average cost of a data breach reached an all-time high in 2023 of US$4.45 million, and 51% of organizations planned to increase security investments because of a breach.5 Collaborative incident response can help minimize the financial and time impact of breaches. When various departments work together, they can pool their resources effectively.
Interestingly, the report also noted that data breach costs were US$1.76 million less among organizations that used artificial intelligence (AI) and automation capabilities in their security strategies.6 Security AI and automation are more effective when they can be shared with cross-functional teams and the knowledge can be used to prevent or respond to security incidents.
By establishing clear lines of communication and fostering collaboration, CISOs can align security efforts, prevent misaligned priorities, and ensure that lessons learned are effectively applied to enhance overall cybersecurity measures. CISOs should:
- Regularly conduct cross-functional meetings and training.
- Establish a unified incident response plan.
- Implement user-friendly security policies.
- Collaborate with external security communities and advisories.
Thus, communication and collaboration break down silos within an organization, enabling a more efficient, coordinated, and cost-effective approach to cybersecurity.
Security Awareness and Training
A study by the SANS Institute and IBM found that 95% of data breaches are the result of human error.7 The Verizon 2023 Data Breach Investigations Report (DBIR) revealed that 74% of data breaches involved a human element, such as phishing attacks or social engineering.8 The report also notes that social engineering attacks have increased from 14% in 2022 to 21% in 2023.9
Neglecting to prioritize security awareness and training for employees is a common mistake. Awareness training educates employees about security best practices, minimizes human errors, and creates a security-conscious culture in the organization. Without proper training and awareness, employees may unknowingly engage in risky behaviors such as clicking on suspicious links, sharing sensitive data improperly, using weak passwords, leaving workstations unsecured, and neglecting software updates, all of which risk compromised security.
CISOs should ensure that employees are well-informed about security best practices, potential threats, and their roles and responsibilities in maintaining a secure environment. This can be done by collaborating with HR teams for training integrations, promoting user-friendly security policies, and tailoring training to specific roles, measures, and culture. It is also crucial for training programs to be ongoing.
Proactive Security Measures
CISOs must understand the value of taking proactive security measures rather than relying on reactive approaches. Accenture reports that “while 35% of respondents to their research study said they embed security controls in all transformation initiatives from the beginning, there are still 18% who deploy security after the event.” 10
A collective effort from every individual in the organization is necessary to create a culture of security. Each employee should be proactive in adhering to security policies and best practices. In addition, investing in technologies that support strategies such as collecting threat intelligence helps detect security incidents. Intrusion detection and prevention systems are also valuable investments in mitigating incidents because they can prevent severe damage.
Vendor and Third-Party Risk Management
Organizations often rely on external vendors and third parties for a diverse array of services and solutions.11 In a 2022 report from Ponemon Institute, it was reported that 55% of organizations across all industries stated that managing third parties was overwhelming and a drain on resources. Since then, many more third-party data breaches have come to light, compromising the personal information of millions of individuals.12 In August 2023, the UK Metropolitan Police announced a security breach involving the IT system of one of its suppliers.13 In June 2023, it was confirmed that numerous organizations, along with several US government agencies, experienced intrusions related to the exploitation of a vulnerability in MOVEit Transfer, an enterprise file transfer tool developed by Progress Software.14
Therefore, it is essential to implement robust vendor risk management processes to assess and monitor the security posture of these third parties. These processes include strengthening contractual security agreements, continuously monitoring vendor security practices, prioritizing ongoing risk management, and learning from past mistakes. Organizations should hold their third parties accountable for security, making it clear that safeguarding data is a shared responsibility. Neglecting these strategies can expose organizations to potential breaches through their external partners.
In the 2013 Target Corporation data breach, cybercriminals gained access to Target’s network through a third-party heating, ventilation, and air conditioning vendor. The vendor’s credentials were compromised, which enabled the attackers to infiltrate Target’s systems and steal personal information from 41 million customers. To prevent this, Target could have implemented stronger vendor security practices such as multifactor authentication (MFA) and restricted access to critical systems, which would have made it more difficult for attackers to breach their network.
In ISACA’s “State of Cybersecurity 2023” webinar, Parkerson noted, “As you add other vendors into your organization, you are increasing risk and decreasing resiliency. Security and trust are foundational capabilities of any organization.” Brandt added, “Rather than overwhelmed by external service providers and consultants engaged, there has to be a baseline capability within the organization.”15
Regular Risk Assessments
A study by the US National Institute of Standards and Technology (NIST) found that organizations that conduct regular risk assessments are 60% less likely to experience a data breach.16 Consider that in 2018, Facebook faced a major data breach where the personal information of millions of users was exposed.17 The root cause analysis conducted after the incident revealed that the lack of a proper risk assessment was responsible for the data breach. Conducting regular risk assessments is vital to identify and prioritize security risk within the organization. CISOs should ensure that risk assessments are conducted at appropriate intervals and that the findings are used to drive security improvements and resource allocation. The Global Cyber Risk Perception Survey conducted by Marsh and Microsoft found that organizations that conducted regular risk assessments were 5.5 times more likely to identify a cyberrisk before it resulted in a major incident.18
CISOs should understand that it is impractical and costly to eliminate risk entirely. Instead, they must focus on implementing risk mitigation strategies and allocating resources to wherever they can have the most significant impact on the organization’s security posture.
Continuous Monitoring and Threat Intelligence
Organizations must implement continuous monitoring and threat intelligence programs to detect and respond to evolving threats effectively. Relying solely on static security measures such as firewalls and antivirus software is not enough. Real-time monitoring is crucial. Without it, organizations are vulnerable to emerging threats that bypass traditional defenses. For example, in 2020, SolarWinds, a leading IT management software provider, fell victim to a highly sophisticated supply chain attack.19 The attack went undetected for several months, allowing the attackers to infiltrate numerous organizations.
Continuous monitoring and analysis of network traffic play crucial roles in identifying and mitigating cyberthreats such as phishing campaigns. By detecting indicators of compromise (IOCs) such as suspicious email addresses, malicious URLs, and malware signatures associated with the campaign, security teams can promptly respond to threats. Sharing these IOCs with other organizations or security vendors helps prevent the spread of the phishing campaign and enables the implementation of targeted defenses to counter similar attacks.
Another proactive method is leveraging threat intelligence feeds that provide real-time information about known malicious IP addresses, domains, or file hashes. By integrating these feeds into monitoring systems, organizations can actively identify and block connections or communications from sources associated with malicious activities. This empowers organizations to strengthen their defenses by leveraging up-to-date threat intelligence, significantly reducing the likelihood of successful cyberattacks.
Keeping an eye on emerging threats and vulnerabilities is a task that concerns everyone. Employees should be encouraged to report suspicious activities and share threat intelligence. By continuously monitoring network traffic and utilizing threat intelligence, organizations can proactively identify IOCs and stay ahead of evolving threats. Integrating these practices into their security strategies enhances their abilities to detect and respond to emerging threats, reducing the risk of successful cyberattacks and safeguarding critical assets.
Compliance With Regulations and Standards
Organizations must understand and comply with relevant security regulations and standards. Adhering to compliance regulations serves multiple purposes. First, it helps organizations mitigate legal and financial risk by avoiding penalties, fines, or legal actions resulting from noncompliance. Second, compliance instills trust and confidence in stakeholders including customers, partners, and investors by demonstrating a commitment to maintaining the security and privacy of sensitive data.
In 2023, Meta was fined a groundbreaking €1.2 billion for violating the EU General Data Protection Regulation (GDPR), followed by Amazon, TikTok, Google, and British Airways.20 A US enterprise was fined US$1.5 million for failing to comply with US Health Insurance Portability and Accountability Act (HIPAA) regulations.21
To avoid fines of a similar nature, CISOs must stay informed about changing compliance requirements and ensure that their organizations maintain the necessary controls and documentation to meet obligations.
Governance, risk, and compliance (GRC) practices such as establishing a GRC framework and conducting compliance audits enable CISOs and their teams to establish robust control mechanisms and monitor adherence to regulations. In addition, they enforce maintenance of proper documentation for audits and assessments. CISOs should collaborate with legal and compliance teams and prioritize stakeholder trust.
Incident Response and Business Continuity
Timely detection, containment and recovery from security incidents are critical to minimize the impact on an organization’s operations, reputation and finances. Therefore, it is essential to have well-defined incident response plans and business continuity strategies in place. In 2017, Equifax disclosed that hackers stole the personal information of approximately 147 million people from its servers.22 The breach occurred due to a vulnerability in a web application that was not patched in a timely manner. The enterprise faced severe criticism for its slow response and lack of an effective incident response plan.
To avoid scenarios such as this one, CISOs must train and prepare their teams for effective incident response. Inadequate procedures can cause delays, lead to insufficient responses, and escalate damage during security incidents. The Accenture and Ponemon Institute 2020 Cost of Cybercrime Study reported that organizations that have swift and effective incident response plans in place can reduce the average cost of a cyberattack by US$2 million.23 An effective incident response plan hinges on clearly defined roles, regular training, efficient communication, monitoring mechanisms, and continuous improvement through postincident reviews. Integrating with business continuity and compliance requirements is also essential. To enhance preparedness and response capabilities for cybersecurity incidents, organizations should conduct incident response tabletop exercises, which involve simulated attack scenarios.
Continual Learning and Adaptation
Finally, CISOs must recognize the ever-evolving nature of the cybersecurity landscape and the need for continual learning and adaptation. Staying informed by subscribing to reputable cybersecurity publications, attending industry conferences, and participating in information-sharing networks about emerging threats, industry trends, and best practices is essential to maintain effective security strategies. Engaging with professional organizations such as ISACA, ISC2, and the Information Systems Security Association (ISSA) can also provide valuable insights and networking opportunities.
Conclusion
Effective CISOs understand that security threats and technologies evolve rapidly. They have learned the necessity of continuous monitoring, threat intelligence gathering, and adapting security measures accordingly. Staying curraent with the latest security trends and maintaining a proactive security posture is vital to effectively address emerging threats.
Endnotes
1 ISACA, “State of Cybersecurity 2023: Global Update on Workforce Efforts, Resources and Cyberoperations,” 2023, https://store.isaca.org/s/community-event?id=a334w000005hEsVAAU
2 Coble, S.; “California Hospital Sued Over Data Breach,” Infosecurity Magazine, 27 September 2021, https://www.infosecurity-magazine.com/news/california-hospital-sued-over-data/; CBS San Francisco, “Four Bay Area Hospitals Fined Nearly $500,000 For Improper Care,” 21 April 2017, https://www.cbsnews.com/sanfrancisco/news/bay-area-hospitals-fined-improper-care-queen-of-the-valley-kaiser-san-francisco-sequoia-st-lukes/
3 The Council of Insurance Agents and Brokers, “IBM: 60 Percent of Attacks Carried Out by Insiders,” https://www.ciab.com/resources/ibm-60-percent-attacks-carried-insiders/
4 Holyome, K.; “The Landscape of Cyber Security in the NHS—And How This Has Changed Since the WannaCry Attack in 2017,” NS Healthcare, 12 March 2020, https://www.ns-healthcare.com/analysis/wannacry-ransomware-nhs/
5 IBM, Cost of a Data Breach Report 2023, USA, 2023, https://www.ibm.com/account/reg/us-en/signup?formid=urx-52258
6 Ibid.
7 The SANS Institute, “SANS 2022 Security Awareness Report: Human Risk Remains the Biggest Threat to Your Organization’s Cybersecurity,” 21 June 2022, https://www.sans.org/press/announcements/sans-2022-security-awareness-report-human-risk-remains-biggest-threat-organizations-cybersecurity/
8 Verizon, 2023 Data Breach Investigations Report, USA, 2023, https://www.verizon.com/business/resources/reports/dbir/
9 Ibid.
10 Accenture, State of Cybersecurity Resilience 2023, USA, 2023, https://www.accenture.com/us-en/insights/security/state-cybersecurity
11 Fortify Data, “Top Third-Party Data Breaches in 2023,” 6 November 2023, https://fortifydata.com/blog/top-third-party-data-breaches-in-2023/
12 Ibid.
13 Ibid.
14 Page, C.; “MOVEit, the Biggest Hack of the Year, By the Numbers,” TechCrunch, 25 August 2023, https://techcrunch.com/2023/08/25/moveit-mass-hack-by-the-numbers/
15 Op cit ISACA
16 US National Institute of Standards and Technology (NIST), NIST Special Publication 800-39 Managing Information Security Risk, USA, March 2011, https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-39.pdf
17 Moore, M.; “Facebook Failed to Warn Users They Were at Risk of Data Breach,” TechRadar, 16 August 2019, https://www.techradar.com/news/facebook-data-breach-had-no-warning
18 Marsh, “2022 Marsh and Microsoft Global Cyber Risk Survey,” https://www.marsh.com/ug/services/cyber-risk/insights/global-cyber-risk-survey.html
19 US Government Accountability Office, “SolarWinds Cyberattack Demands Significant Federal and Private-Sector Response,” 22 April 2021, https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic
20 Data Privacy Manager, “Twenty Biggest GDPR Fines So Far,” https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/
21 US Department of Health and Human Services, “Massachusetts Provider Settles HIPAA Case for $1.5 Million,” USA, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/meei/index.html
22 Ng, A.; “How the Equifax Hack Happened, and What Still Needs to Be Done,” CNET, 7 September 2018, https://www.cnet.com/news/privacy/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/
23 Accenture, “Cost of Cybercrime Continues to Rise for Financial Services Firms, According to Report From Accenture and Ponemon Institute,” 16 July 2019, https://newsroom.accenture.com/news/2019/cost-of-cybercrime-continues-to-rise-for-financial-services-firms-according-to-report-from-accenture-and-ponemon-institute
Jayakumar Sundaram, CISA, ISO 27001:2013 LA/LI, CC
Is a principal consultant of cybersecurity at SVAM International Inc. He has been working in information security, cybersecurity, and governance, risk, and compliance practices for more than 12 years and has three decades of experience in information systems and IT delivery management.