According to ISACA and the CMMI Institute, organizations continue to invest heavily in security technology while neglecting security training to create the appropriate corporate culture.
Squarely in the middle of your layered security lies the user – the half liability/half security sentry part of the equation. In order to push the user past the tipping point of being a valuable part of your security strategy, organizations need to establish a cybersecurity culture that ensures the user remain vigilant against attacks of all types.
But according to ISACA and the CMMI Institute in their 2018 Cybersecurity Culture Report, organizations generally think there's a gap between their current cybersecurity culture and what they think that culture ought to be.
The global survey showed that only 5% of organizations were content with the state of their cybersecurity culture, with a full third seeing a “significant gap.” Fewer than half of the organizations studied regard their security culture as "very successful," and, significantly, fewer than half "conduct hands-on testing to train employees on security awareness or best practices."
According to the report, the cost of a weak cybersecurity culture is easy to see: greater vulnerability to data breaches and data loss, heightened regulatory risk, missed business opportunities, and difficulty retaining customers who take their business elsewhere when they find an organization can't be trusted to look after their information.
So, what’s the problem?
By looking at the data, organizations are well-aware that they have a culture problem, and yet, they aren’t taking steps to rectify it. This seems in part to be a misapplication of resources by focusing on technology and not employees.
As the Report puts it, "[M]any organizations base their cybersecurity on smart technology yet underinvest in what should be their first line of defense—their employees. Organizations that excel at understanding and managing the behavior of employees engage them in the defense of their digital assets, networks and intellectual property see benefits that often elude other organizations."
It's not as if organizations don't see the value of establishing a stronger security culture: 87% of them do. But they still seem to fall into the gap.
The primary reasons organizations find it difficult to build a culture of cybersecurity include:
- A lack of employee buy-in (41%)
- the challenge of building a culture across disparate business units with different styles or cultures, or which operate in different regions (39%)
- a failure to set key performance indicators or business goals related to cybersecurity (33%)
- inadequate funding for training and education (29%)
- a lack of senior executive buy-in or understanding, (27%)
Organizations with a strong cybersecurity culture consistently show greater attention to employee training than do their culturally weak counterparts, devoting on average 42% of their cybersecurity budget to Security Awareness Training and its related tools, using annual testing and measurement to assess how they're doing. The fraction of organizations with weak security cultures spend less than half of that: only 19%.
“The goal must be to foster an intentional security culture, based on habits of action,” is how Steven J. Ross, past board chair of ISACA and author of Creating a Culture of Security puts it. We're in full agreement with the study's overall conclusion: if you entrust all your employees with responsibility to fight cybercrime you'll see fewer problems and enjoy more business gains than your competitors who rely on a single technological silver bullet or make security the sole responsibility of a small staff. This is only possible by first educating them with Security Awareness Training to empower users to make educated assessments and decisions as they interact with email and the web. It’s through this training and the newly-found trust in the employee to act as part of the security strategy that organizations can build the security culture they need.