Creating A Cyber-Conscious Culture: It Must be Driven from the Top

This article was written by Paul Ponzeka, CTO at Abacus Group, and first appeared in Forbes.

Gone are the days when cybersecurity was solely a concern of IT departments. In today’s digitized and interconnected world, businesses face more frequent and sophisticated cyber threats. Therefore, they must continuously learn new ways to protect their revenues, reputation and regulatory compliance.

This is the case across many industries—particularly within the financial services sector. With hybrid and remote working blurring traditional security perimeters and expanding the attack surface, the high volumes of sensitive financial information held by organizations are at increased risk of cyberattacks.

In this pressurized environment, businesses face mounting scrutiny from all sides, including regulators, customers and investors. With new SEC rules coming into force, for example, investment firms must have proactive measures in place to detect, mitigate and remediate evolving cybersecurity vulnerabilities and threats.

Cyber has truly been elevated to a board-level concern. As such, cybersecurity needs to be established as a critical component of broader business strategies. This means having meaningful C-suite conversations about cyber risk and requires security specialists to step up into more strategic leadership roles, driving value and enabling change by aligning cybersecurity objectives to business needs.

But it doesn’t just stop at the boardroom table. Cybersecurity is a collective problem, where everyone in an organization bears responsibility. Security best practices need to be cascaded down the business to create a truly cyber-conscious culture, where everyone in the organization—from executives to new hires—understands and takes responsibility for the security of the business.

This culture change can be driven from the top down through leadership commitment, robust cybersecurity policies and procedures and continuous employee training and awareness.

Improving Board Communication

As security and business risks become intertwined, the C-suite is paying more attention to issues of cybersecurity oversight. For some firms, this has led to the chief information security officer (CISO) taking a seat at the boardroom table. Previously seen more as a business protector than a business partner, the CISO is now expected to be a fellow board member.

However, it’s not enough for CISOs to simply sit alongside the CEO and CFO. The cybersecurity message must be communicated in a meaningful, compelling and jargon-free way to achieve executive buy-in. If their message fails to resonate with the controllers of the purse strings, true culture change will simply not happen.

To break down communication barriers and develop a cyber-conscious C-suite, security specialists must learn to speak the language of business and risk, expressing cyber risks in quantifiable financial terms. By confidently communicating the tangible value of cybersecurity—not just as a mitigator of risk but also as a business enabler—they can deliver a message that resonates at the firm’s highest level.

Driving Culture Change From The Top Down

Getting this executive commitment is key to building a strong cybersecurity culture. There is power and safety in numbers—and when leaders take security seriously and prioritize their cyber risk posture, others are more likely to follow suit, creating a ripple effect across the organization.

Therefore, a cyber-conscious culture should be cascaded throughout the firm. Security belongs to everyone, so organizations must move towards a business-wide, multilayered approach. Leaders have a responsibility to coordinate this culture shift and become drivers of long-lasting change. Developing a comprehensive security strategy encompassing both the human and technical elements of cybersecurity. They can help build the values and behaviors underpinning a cyber-conscious culture.

Continuous employee education and training is a key part of this holistic approach. As the organization’s first and last line of defense, all employees should be aware of the evolving cyber threats out there and how to handle them effectively. To keep on top of new risks and techniques, this training needs to encompass the most up-to-date security insights, tabletop exercises, and interactive simulations.

End-user education should be supported by robust written policies and procedures so that everyone from the C-suite down is singing from the same hymn sheet and working in tandem to maintain cyber hygiene. These policies must be continually reviewed to reflect the changing business and security landscape.

To help consolidate this culture of cybersecurity awareness and responsibility, firms must additionally conduct regular and thorough cyber risk assessments to determine their specific cybersecurity vulnerabilities. Network and cloud penetration testing, and social engineering testing, will also help firms identify security gaps, ensuring their dispersed workforce remains vigilant and compliant as new cyber threats emerge.

Cybersecurity Is Everyone's Business

For the alternative investment industry, there is an extra layer to this need for a cyber-conscious culture. Investment firms operate within a broader ecosystem of vendors, partners and customers—all with potential security weaknesses and backdoors. For these organizations, cybersecurity must be a collective endeavor, extending beyond the internal workings of the business to cover an array of third-party risks.

Crucially, every business in every sector benefits if a proactive and collaborative cybersecurity culture is driven from the top down. By setting the tone on both a macro and micro level, the C-suite can inspire greater cybersecurity knowledge and awareness across the entire business environment.