Most business leaders today understand the importance of cybersecurity and data integrity for their organisations. In fact, Australian companies have shown a growing awareness of cyber risks and have made great strides in improving their cybersecurity practices in recent years.
But many companies are still dangerously underprepared; even among the companies that do invest in cybersecurity, there is a huge difference in the way they put it into practice.
Many business leaders still believe that the responsibility for cybersecurity lies solely with the IT department with little, if any, overlap with the rest of the organisation’s functions. But in practice, most cybersecurity breaches can be traced back to human error originating from non-IT departments. Clearly, a tech-only approach to cybersecurity is not enough. To stay well-protected, data-driven organisations need a security-centric culture that extends across every department at an operational level.
But what would that look like? How can CEOs and leaders make sure they are getting the maximum return on their investment in cybersecurity and cyber resilience? Here are some of the key questions leaders need to ask before committing to a new cybersecurity initiative:
Q1. “Does our leadership and organisational structure regard cybersecurity as mission-critical?”
This means having clear, documented policies in place for data security, privacy, breaches and other cyber risks. Industry-specific, government-mandated compliance and regulatory considerations also need to be understood and followed. Does senior leadership understand the real-world risks and consequences of cyber threats? Does the cyber team have a say in organisational policy and structure? Only by empowering the cyber team to advocate change across the organisation, backed by senior leadership, can we build an enduring cyber-aware culture.
Q.2. “Does our culture value cyber resilience?”
Cybersecurity is one thing, but cyber resilience is no less important. For modern organisations, business continuity is a major consideration which is why cyber resilience needs to be factored into policy. Are appropriate cyber resilience measures in place? Is every team aware and informed about their role in the organisation’s cybersecurity? Does each department have regular cyber training and awareness programmes assigned?
Q.3 “Have we earmarked funding, resources and accountabilities?”
On an organisational level, we need to decide where funding for cybersecurity will be sourced from and who decides its budget. The next order of business is to place someone in charge of the function: who do we mobilise in case of an incident? Who manages the cyber team and makes sure all the other departments are complying with cyber policy? As a cyber leader, are they clear about their role, scope and responsibilities? Do they have the tools, resources and training to do the job?
Q.4. “How do we define and measure success?”
How do we measure the outcomes of the cyber initiative? We need to have clear, agreed-upon metrics and measurable goals for the cyber team. What’s more, they need an end-goal; they must know the outcome the organisation is striving for in order to achieve it. All stakeholders need to align on a clear, achievable picture of what success looks like. Once aligned, the next step is establishing roadmaps, milestones and key performance indicators, complete with regular check-ins and follow-ups.
If these questions seem challenging, it’s because they are. But asking them at the outset will bring much-needed clarity to the scope and depth of your cybersecurity initiatives. Having the answers and buy-in from stakeholders will go a long way to ensure the culture you are building not only stays manageable, but also sustainable in the long-term.