Fostering a strong cybersecurity culture is recognized by experts as a foundational element for creating a strong and healthy security program. However, a recent survey by TechTarget’s Enterprise Strategy Group and the Information Systems Security Association (ISSA) found that many CISOs believe that companies have a long way to go to establish the right cybersecurity culture within their organizations. It turns out.
What is cybersecurity culture? The European Union Network and Information Security Agency (ENISA) provides the following definition:
“The concept of cybersecurity culture (CSC) refers to people’s knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values regarding cybersecurity and how they manifest in their behavior using information technology. Although CSC covers familiar topics such as cybersecurity awareness and information security frameworks, it is broader in scope and application, making information security considerations an integral part of employees’ work, habits, and behaviors. The focus is on incorporating them into everyday actions.”
In other words, a cybersecurity culture promotes cybersecurity as a necessary element to achieving an organization’s overall mission. In fact, the survey revealed that CISOs believe that cybersecurity culture is inexorably tied to security best practices in threat prevention, detection, and response. When asked how they can improve their organization’s overall cybersecurity program, 60% of CISOs surveyed said they should strive to build a better cybersecurity culture across their organization. compared to 42% of all other respondents.
Notably, CISOs are improving their companies’ cybersecurity programs by involving executives and boards more in cybersecurity decision-making and oversight, increasing cybersecurity budgets, and improving security hygiene and posture management. This is something I think can be improved. These are all components of strong security measures. Cybersecurity culture.
Most CISOs believe cybersecurity culture needs to improve
This data also informs future efforts. More than a third (36%) of CISOs rate their organization’s cybersecurity culture as advanced (slightly higher than all other respondents), while 34% rate their cybersecurity culture as advanced. Claims to be average. Surprisingly, 30% were less positive, ranking their organization’s cybersecurity culture as fair or poor.
Given the importance of cybersecurity culture, the data appears to indicate a disconnect between CISOs and other company executives. Unfortunately, this appears to be an occupational hazard for his CISO. Best in Security When asked whether he had ever worked in an organization that deliberately ignored practices or regulatory compliance requirements, more than two-thirds (68%) of CISOs said they had at least one I answered that I have worked in such an organization. This compared to 57% of CISOs. Other respondents.
CISOs want more cybersecurity leadership from business executives and their teams
As part of the survey, respondents were asked for suggestions on how their organizations could improve their cybersecurity culture. Although CISOs’ recommendations were often similar to those of other cybersecurity professionals, their responses stood out in a few areas. For example, CISOs want security teams to be involved in all business planning so they can build threat models and implement appropriate controls. They also want business managers to take greater responsibility for cybersecurity within their business units, making them pseudo-Business Information Security Officers (BISOs) with support from security teams. This may be a bit of a skill set stretch, but CISOs can meet with business managers in the middle and say they want to align specific business processes with appropriate risk mitigation, cyber defense, and surveillance oversight. It’s no exaggeration to say that.
Overall, CISOs suggest that the rest of the organization, especially executives and boards of directors, take cybersecurity more seriously. It’s worth noting that CISOs aren’t just blaming others for cultural deficiencies. In fact, 40% want to increase the level of employee involvement in guiding these changes by corporate boards. This alone shows a CISO’s dedication to the mission.
It’s clear that a cybersecurity culture relies on strong leadership from company executives. Unfortunately, the data suggests that his CISO’s relationship with corporate boards is complex. When asked how they would characterize their working relationship with the board, 40% of CISOs said it was fair or poor, meaning a toxic and risky situation. To rectify this, 60% of CISOs recommended increasing his CISO’s participation in management teams and boards of directors, including all business plans and strategies.
The Enterprise Strategy Group and ISSA study revealed two contradictory and worrying situations.
- CISOs believe that a strong cybersecurity culture is a best practice and greatly assists in the mission of preventing, detecting, and responding to cyber threats in a timely and effective manner.
- The cybersecurity culture of many organizations lags behind where it should be (and should be).
While CISOs appear poised to act as change agents, outside help may be available to further this objective. New regulations, such as the latest SEC rules on cybersecurity risk management, the New York State Department of Financial Services Regulations (23 NYCRR 500), and the impending NIS2 directive from the European Union, create additional cybersecurity requirements for companies, including boards of directors/management teams. Requirements are imposed. Responsibility and Cybersecurity Cultural Imperatives.
Between constant cyber threats, economic losses, and these new regulations, there is no doubt that improving cybersecurity culture will be a priority for many organizations in 2024 and beyond. Although this puts CISOs in a tough position, research shows that most CISOs would welcome this step in the right direction.