Five Ways to Build a Business Culture Around Cybersecurity

by

August 15, 2023

If you are in a high-level position at your company, you might think that your IT (Information Technology) staff has already taken care of cybersecurity. However, senior leaders play a crucial role in cybersecurity. They set an example, guide the direction, and show what is important in the company. By talking about and showing that you care about cybersecurity, you can influence your employees and build a business culture around cybersecurity

So, how can you make progress in cybersecurity? From my experience as a Virtual Chief Information Security Officer, I have seen many effective strategies used by top executives. We’ll focus on five of those strategies here today. Let’s go through them. 

 

Five ways to build a business culture around cybersecurity:

Technology is everywhere in your business, so cybersecurity should be too. As a leader, it is important to think about how cybersecurity fits whenever you are considering new projects. If you make this a regular part of your decision-making, your employees will follow your lead. Here are some specific ways to emphasize cybersecurity in your business. 

 

#1: Set clear security rules

Basic things like managing passwords, securing mobile devices, and teaching employees about security are important for everyone in your company. Making these measures mandatory and easy to follow can help. 

Give each employee a secure password vault to manage their passwords. This protects both their personal accounts and the company’s data. Remind them that writing down passwords or leaving sensitive information exposed is not allowed. 

Display posters with information security messaging, include it in newsletters, and talk about it in your communications. Train managers to enforce these rules. 

Also, make sure your employees understand the rules for using personal devices securely at work. Demonstrate model behavior by properly managing your own device(s). 

Consider using single sign-on tools with strong security measures like Duo. This makes it safer for everyone to access company systems. 

It may sound basic, but it is important for everyone to follow these rules. Everyone – no exceptions. 

 

#2: Invest in ongoing employee cybersecurity training

Just having policies and tools is not enough. Regular training is necessary to help employees stay prepared for the cybersecurity challenges they face every day. 

Start by training new employees in company policies. At Integris, we use online training that is easy to track. It helps employees learn about company expectations and what they need to do. 

But training does not stop there. Keep reinforcing it and testing employees every month or quarter. It is not as hard as it seems. Our monthly online training, available through an online portal, explains common threats and gives advice for each situation. After the training, employees take quizzes to test what they have learned. We also send de-fanged phishing emails to test their awareness and teach them how to avoid scams. 

You might wonder how senior leaders fit in. Well, as an executive, you should watch your employees’ training scores and use them as an important measure of how well your company is doing. Your employees are the first line of defense against hackers, so prioritizing their training is wise. 

 

#3: Strengthen security with regular penetration tests

We have talked about testing employees with phishing emails, but there is another test that is important: a yearly penetration test. This test simulates what a motivated hacker might do. It helps you see how well your security measures work and find weak spots. 

Make the results of these tests part of the metrics your executive team reviews every year, or even every month. This way, you can make sure your security plan is doing what it is supposed to. 

 

#4: Back up words with actions

Many companies think they’re compliant with applicable laws and standards. But often, when you look closely, gaps in documentation or elsewhere in the control’s environment are discovered.  

To avoid scrambling when regulators review your company, consider having a qualified Managed Service Provider (MSP) do a thorough check every few years. They can make sure your records are complete and ready for review. Regular reports, like logs of software updates, cybersecurity monitoring, and disaster recovery plans, should be part of your routine. If you keep track of these things and show your team that you are paying attention, you will be well-prepared if a problem comes up. 

 

#5: Lead by example in cybersecurity

It is not good if your executive team talks about cybersecurity but does not follow the rules themselves. Leading by example is important. Be the one to take security seriously, even if it is inconvenient. Show your employees that you care about it personally. 

Since executive teams often handle sensitive company data, your devices should be more secure than others’. Keep in mind that hackers often pretend to be high-level executives. Do not give them a chance to succeed. 

 

A strong cybersecurity culture is the best defense

As a senior leader, you can help your IT team and reduce the chance of cybersecurity problems. These strategies are just a starting point. If you want to learn more about creating a strong cybersecurity program for your company, our Virtual Chief Information Security Officers are here to help. Contact us for more information.

Darrin Maggy is the Information Security Operations Manager for the Integris vCISO program. A CISSP with over 25 years of experience, Darrin provides leadership and oversight for Integris' vCISO team.

Keep reading

How to Run Governance on Your Security Awareness Training Program

How to Run Governance on Your Security Awareness Training Program

Has your company decided to take the plunge, and start a regular schedule of monthly online security awareness trainings for your employees? Great! You’ve just taken a big step toward hardening your cybersecurity defenses. Now what? Chances are, you’ve purchased a...

What Can Cybersecurity Awareness Training Do for My Company?

What Can Cybersecurity Awareness Training Do for My Company?

Global spending on employee cybersecurity awareness training is predicted to exceed $10 billion USD by 2027, up from around $5.6 billion USD in 2023, according to the latest estimates from Cybersecurity Ventures. Why? Because more companies than ever are realizing...

Third Party Vendor Risk Management: A Guide for Law Firms

Third Party Vendor Risk Management: A Guide for Law Firms

You've bought the cybersecurity tools your MSP recommended to manage your cybersecurity. You use a permission-based platform to transfer client files back and forth. Your firm should be covered for data breaches, especially third-party vendor risk, right? Tell that to...