There’s an ever present theme in my discussion about cybersecurity; Cybersecurity should be a culture.
You see, when most people talk or hear about Cybersecurity, they immediately almost associate it to the opposite of hacking. Inasmuch as that has some truth in it, it leaves a lot to be desired.
By definition, it means the practice of deploying people, policies, processes and technologies to protect organizations, their critical systems and sensitive information from digital attacks.
This shows that it is not only a people-problem. It is an entire department in itself. It has procedures, processes, systems and personnel, not to mention specific skills.
What I mean when I say it is a culture, is that it is not a do-once and forget thing. It is a do-and keep doing process. One that keeps changing, sometimes too fast and too quick.
The culture
In an organization, to ensure maximum compliance to security, a security posture has to be developed and embedded to the actual duties of each staff. Every checklist must not be missed or else a breach occurs. And as we know, it only takes a single point for the entire system to be compromised.
Password security, email security, physical security, phishing tests, security policies, are all procedures that once done several times, seem okay and obvious that most employees them repetitive and therefore abandon them.
One way to make them feel non-obstructive is by making them enjoyable, and shuffling activities every time an activity is done.
Once your employees get that they need to change their passwords every 90 days, that they will not open links they don’t trust, etc. it becomes embedded in them. It becomes an identity they can identify with. It becomes a culture. They then can spread this to other people, friends, colleagues, etc. and when your employees are indoctrinated to this culture, your CISO will have an easier time managing your Cybersecurity posture.
It will mean less security incidents, less money on recovery, more efficiency, cleaner reports, increase customer trust. Today, this can hugely benefit fintechs, as they are the ones with the most trust issues right now.
Final thoughts
Cybersecurity is slowly getting the voice it needs in our boardrooms, but still the accountability lies primarily with leaders in IT.
For instance, there’s still an ever growing gap in Cybersecurity professionals globally. Companies are not changing their hiring procedures and requirements, meaning that this is going to go on for a while.
And mind you, companies are now more than ever prone to cyber attacks. This is due to the mass migration to digitization of business processes, having more sophisticated systems and the de-centralization of systems, like the cloud architecture.
Cybersecurity mostly fails because of lack of adequate controls. No organization is 100% secure, and organizations cannot control threats or bad actors. Organizations only control priorities and investments in security readiness.
