If you’re like most people, you’re probably tired of seeing the constant stream of data breaches and cyber-incidents in the media. You might blame the increasing capabilities of cyber-criminals. Ultimately, though, it can all be traced back to a single truth - as a whole, nobody cares enough about cybersecurity. How can we change that?
Most businesses don’t care enough about cybersecurity. Some clearly don’t care at all. Much as you might want to protest those statements, you know they’re both true.
Consider, for example, Risk-Based Security’s MidYear QuickView Data Breach Report. Per that research, the first six months of 2019 alone saw more than 3,800 data breaches, which together accounted for over 4.1 billion compromised records. And those are just the ones we know about.
“Businesses of all sizes need to get their security act together,” writes cybersecurity expert Davey Winder. “The business sector [accounted] for 67 percent of the reported breaches and 84.6 percent of the exposed records according to the report … It doesn’t take a genius to work out that something has gone very wrong as far as data security is concerned. ”
But what can we do about it? How can we make businesses care more about keeping corporate and customer data safe? How can we impress upon the C-Suite that they need to have a solid understanding of their organization’s cybersecurity risk posture?
As a whole, you can’t. Until we start seeing more significant consequences for lax security practices - consequences that go beyond fines that are functionally a slap on the wrist - nothing will change. All you can do is focus on your own organization.
The good news is that in that regard, there’s actually a great deal you can do. The first step is to start fostering more collaboration where cybersecurity is concerned. Encourage people to break down silos and communicate openly and honestly with IT about their workflows, security requirements, and pain points.
Next, you’ll want to bring the C-suite into the conversation. Impress upon them the importance of cybersecurity, and speak to them in terms they’ll understand and engage with. CISO Magazine has some excellent advice in that regard:
- Get everyone else on-board with your security efforts. That’s where the breakdown of silos we mentioned earlier comes in. Provided you’ve generated enough buy-in, you should have at least a few champions peppered throughout your organization.
- Ensure you distinguish between program maturity metrics and performance metrics. Both are important for their own reasons. Maturity metrics, however, make a more persuasive case for your security budget.
- Don’t solely focus on technology. People and processes are just as important - perhaps even more so.
- Talk in specific terms. Reference standards and frameworks with regards to the benefits of adhering to them.
- Don’t talk about cybersecurity in isolation. Contextualize it as a part of your business’s overall risk management process.
That’s pretty much it — communication, collaboration, and buy-in. Of course, if your board is determined to dismiss cybersecurity as anyone’s problem but theirs, none of these efforts will make any difference. At that point, it could well be time to consider a career change, or at the very least, to think about finding a new employer.