12 December, 2023

Cyber Resilience: A Business Imperative Rooted in People-Centric Culture

12 December, 2023

As organizations navigate and look to position themselves for relevance in the digital economy, as with the realization that Digital Transformation is more about business transformation than it is technology (which is the enabler to the business strategy), so is the sentiment when we look at Cybersecurity.

The approach to Cybersecurity requires the same paradigm shift from organizational leadership. It’s no longer a concern relegated to the IT department alone but needs to be seen as a critical business imperative across the board and even past our usual scope of control (i.e. customers and third-party stakeholders).

As Organisations become more digital in their offering, embrace the interconnectivity of mesh architecture, IOT, AI, and other emerging technologies, so will their exposure and increase to Cyber-attacks.

Leadership needs to shift their focus away from trying to stop attempts but rather focus their efforts on building resilience for when the attack comes. This requires a people-centric approach to cyber resilience development and is not just beneficial but essential if you are looking to be positioned strategically and competitively for the long-term game.

Here are three (of the many I engage in) practical aspects to get you started in the right direction and showcase impactful value:

1. Leadership Commitment and Role Modeling:

“Values and priorities set at the top create ripples throughout the entire organization. Like a mirror, the team reflects the leader’s focus and convictions.”

The role of leadership in cultivating a cyber-resilient culture cannot be overstated. Leaders must not only prioritize cyber security in their strategic planning (budget, priority, resources) but also embody the very practices they advocate. By doing so, they set a powerful example for the rest of the organization. When employees see their leaders actively engaged in cyber security practices, it reinforces the importance of these measures and encourages widespread adoption. A study by McKinsey & Company emphasizes that organizations where leaders prioritize cyber security see a more robust cyber posture. Leaders need to embody and promote Cybersecurity practices to set a strong example for the entire workforce.

Three things you can start doing from tomorrow:

1. Tie intended behaviours to performance: Embed your Cyber Resilience strategy into your performance management process. Starting from your leadership to the coal face of your operations.

2. Be the example: Be vulnerable in your engagement and be part of the showcase of what Cyber resilience means for the organization (form part of the change management material| host “Cyber-Thones” | Speak about the business imperative).

3. Be honest about where you are today and map out where you want to be tomorrow: Set goals and objectives you want to attain (it’s a journey, not a race, so work smart) that will increase your Cyber posture. Work out where you are, where you want to be and map out your path to start the journey.

2. Elevating Awareness Beyond the IT Department:

“Even with a fortress of cybersecurity defenses, the gates can be undone by a single act of carelessness – sharing a username and password.”

The next step in transforming Cybersecurity into a business imperative is broadening awareness across the entire organization. The IBM report not only highlights the substantial financial impact of data breaches but also stresses the importance of involving every employee in the cyber defense strategy as most successful breaches were a byproduct of human engineering. By embedding cyber security awareness into the company ethos, businesses can create a vigilant and informed workforce capable of identifying and mitigating risks.

Three things you can start doing from tomorrow:

1. Transform your learning and development efforts from “compliance” to a “business imperative mantra”: Even with good intent, most organizations are ineffective in their L&D activities as it’s perceived from their workforce as a topic of having to comply than it is seen as something we need to embed into our business as usual. Move away from a ‘push’ centric approach of awareness setting to a ‘pull’ centric approach of interest and time-tailored ownership.

2. “Chance favours the prepared mind”: Put in place periodic tailored specific business-led scenarios that could be a possible breach example (based on an existing vulnerability), then go through an after-action learning process with your employees followed by them walking away with actions and learning points for the future.

3. Integrate Cyber Resilience into Business Continuity Planning: Ensure for every possible type scenario prioritized and depicted, there is a CP plan with a clear RACI matrix in place. Create windows of consistency where this is continuously reviewed, updated, and blended with your training and business-led scenario workshops.

3. Convergence of your Education and Training to an engagement:

“Transitioning from simply educating and training to actively engaging individuals marks a paradigm shift, where learning becomes a dynamic, interactive journey rather than a static destination.”

Education and training are the cornerstones of a resilient cyber culture. Given that human error is a significant factor in most breaches. It is imperative to regularly update the workforce on the latest cyber threats and defense mechanisms. Interactive training, gamified security challenges, and real-world simulations can transform mundane security protocols into engaging learning experiences, significantly reducing the likelihood of breaches. Interactive and regular training initiatives can significantly decrease the likelihood of breaches caused by human error.

Three things you can start doing from tomorrow:

1. The goal is the internalization of learning, not how many you have trained: Move away from compliance-type metrics on ‘how many’ we trained but more about its effectiveness. This will then focus you on the right aspects of what to train. For example, do a simulated phishing campaign, then repeat after training and engagement with the same individuals. The “What is the measure of success?” concept will enrich your L&D efforts and its outcome.

2. Make your L&D material relevant and exciting: Steer away from boring generic type online courses and make it real for your people. Blend with real-life storytelling cases | Industry expert engagements | Ethically hack your leadership and use it as a podcast discussion session with your staff | Have an internal TED Talk-Podcast type discussion that develops over time with conscious ownership following in place.

3. Tailor your teachings and keep them fresh: Too much of the same message dilutes effectiveness and mindfulness. Update and refresh your material and approach consistently. Shock the system | Embed new trends and cybercriminal tactics | Show the impact of the latest successful breaches.

In conclusion:

Transforming cyber security into a business imperative is a multifaceted endeavor that extends far beyond technological solutions. It requires a shift towards a people-centric approach, where every employee is educated, engaged, and empowered to play a role in the organization’s cyber defense mantra. By implementing these strategies is a great starting point, businesses can not only fortify their defenses against cyber threats but also foster a culture of resilience and vigilance that permeates every aspect of their day-to-day operations. It’s a shift that requires ongoing commitment, education, and leadership, transcending the traditional boundaries of Cybersecurity.

________________________________________________________________________________________________________

Author: Antonios (Tony) Christodoulou