The importance of a strong enterprise cybersecurity culture to the overall effectiveness of an IT security department can't be understated. It's consistently named by executives as a crucial, if ephemeral, ingredient for cyber risk management success.
For those security and executive leaders wondering what exactly it takes to build that kind of culture, (ISC)2 recently released a study right up their alley. The Building a Resilient Cyber Security Culture study took a look at some common practices and characteristics among 250 organizations with "a solid track record of cybersecurity."
According to the study, it confirmed a lot of common wisdom that security thought leaders have been spouting for a long time, particularly when it comes to how they recruit and retain security teams.
"Companies still struggling with unfocused cybersecurity strategy, uncertainty in their cybersecurity readiness or that are unable to retain their security staff should consider modeling themselves after these organizations," the report suggests.
Here are some of the key themes that bubbled up from the survey results.
Support from the Board and Top Execs
Fundamental to a resilient cybersecurity culture is support from the top. Most experts agree it is fundamental to the process of weaving security throughout an enterprise—it's crucial for two big reasons.
First of all, high-level executive support is usually needed to green-light the big investments necessary for strong security. Secondly, it helps security teams wield the kind of authority required to get everyone in the enterprise to shift away from the "that's the way we've always done it" mentality when it comes to make meaningful changes to processes.
The (ISC)2 study confirmed the long-cited wisdom that cybersecurity starts with the tone from the top. Among organizations with the strongest security track records, 97% say top management understands the importance of strong cybersecurity and 96% say their risk management policies align with the board of directors' cybersecurity strategy.
Strong Risk Management Policies
Speaking of policies, they are also a common theme among the top-performing security organizations. According to experts with Deloitte, it's critical to establish policies in order to set baseline performance levels.
"Whether you're building or revamping, it's important for organizational risk leaders to set a target state for cyber maturity," wrote Stephane Hurtaud and Roland Bastin, partners in Deloitte's Information and Technology Risk division, in a recent piece on cyber risk.
According to the (ISC)2 survey, 58% of cyber resilient organizations have very strong risk management policies. That's important because without good policies, it is impossible to set up repeatable processes that remain effective even in the crucible of real-world attacks and security incidents.
"Developing meaningful cyber-related messages for the broader organization can help foster the flow of information when there are cyber incidents or concerns," Hurtaud and Bastin said. "But clearly defining the triggers or threshold events, as well as the actual processes for moving information up to management can make the difference between functional and effective."
Security Jobs Clearly Delineated
According to past studies from (ISC)2’s, one of the top complaints that cybersecurity job seekers report is a lack of clarity in job descriptions for open positions. In a report from earlier this year, over half of them say that unclear security job ads show that the organization doesn't truly understand how security works.
"Not all candidates can deliver every skill, so avoid using a 'kitchen sink' approach in job descriptions," (ISC)2 experts wrote. "It’s a turn-off to seasoned jobseekers."
According to the recently published study, 52% of those with strong security culture draft clear job descriptions when hiring. And among these organizations with resilient cultures, the top three attributes they look for when recruiting and developing security staff are:
- Skill and knowledge with our technology (72%)
- Knowledge of security best practices (65%)
- Understanding of our processes, data flows and controls (63%)
"The key takeaway for employers is to recognize that they must be realistic about what a single candidate can bring to the table and be smart about building a well-rounded cybersecurity team across skillsets and disciplines," (ISC)2 experts say.
Strong Focus on Training and Certification
It's a little bit of a chicken-and-egg conundrum when you think about the relationship between security culture and professional development of security staff. Does having a staff full of trained and certified individuals promote a cyber resilient culture or does having that strong culture draw those people. Probably a little bit of both.
Regardless, the correlation is undeniably present.
According to the survey, among cyber resilient organizations:
- 70% train and promote from within,
- 70% hire certified security professionals,
- 57% offer training and certifications to employees, and
- 55% cross-train on cybersecurity skills and responsibilities.
That's in big contrast to the typical organization. According to one survey from Cybrary, only about 15% of employers today cover all of their security employees' training expenses.
Established CISO Role
Believe it or not, but almost half of enterprises today still operate without a C-level executive in charge of cybersecurity. The experts at PwC ran a study earlier this year that showed just 52% of global organizations have a Chief Information Security Officer (CISO). Meantime, the (ISC)2 study strongly suggests the importance of a CISO role in establishing cyber resilience. Around 86% of organizations with a solid security culture employ a CISO.
Who that CISO reports to varies considerably. Around 43% report directly to the CEO, while 35% report to the CIO. Around 14% report to the board and another 7% report to others, including the COO and CFO.
User Security Awareness Training
Time and again security experts have shown that the average business user is the weakest link in cybersecurity.
"No matter how sound your infrastructure, bear in mind that all your efforts can be circumvented, either deliberately or accidentally, by your employees," wrote Dr. Rao Papolu of Cavirin Systems for Forbes recently.
Consider some key statistics:
- 91% of breaches start with a phish,
- 55% of executives say negligent employees are the most likely triggers for cyber attacks, and
- 70% of US employees lack security and privacy awareness.
It's no wonder that among cyber resilient cultures, one of the top ten traits that they look for in a cyber security employee is their "ability to educate users on security best practices," which was cited by 53% of them.
Long-lived Security Teams
The cybersecurity skills shortage is putting a big crunch on the longevity of security teams. Sure, it's difficult to recruit skilled security employees—one estimate says that only one in 10 organizations can fill positions within a month and only about half of organizations can fill them in under six months. But even more tough is hanging onto those employees once they've wooed them. About half of security professionals say that headhunters come calling at least once a week—that's some serious pressure to look for greener pastures.
The remarkable thing about organizations with strong security culture is their remarkable ability to retain their security staff. About 79% of these firms say their security employees have an average tenure of three years or more and 37% say the tenure is over five years.
"Considering that cybersecurity pros are contacted by recruiters on a regular basis, this is a significant achievement," the report says.
The net-net is that respondents in the survey are spending less time sweating retention issues than they are on addressing the actual threats.
"(It's) an indication that having competent, experienced people in place allows them to focus on what is important – protecting the organization," explains the report.