Technology touches all employees within an organization, not just those in the IT department. Security should be no different, with a commitment that permeates from the top on down. Credit: Thinkstock The state of corporate cybersecurity is anything but static. With the list of potential threats diversifying, the stakes are high for securing company systems and data. As the average cost of a data breach grows (currently estimated at $4 million), business leaders’ appetite for risk lessens. And yet fewer than half of information security professionals feel that their company’s defenses are completely up to par, according to our research at CompTIA. Contrary to what some business leaders may believe, protecting your organization’s infrastructure and intellectual property doesn’t start with investing in a firewall. It starts with embedding cybersecurity into your company culture. Technology touches all employees within an organization, not just those in the IT department. Security should be no different, with a commitment that permeates from the top on down. Here are six steps that can help set the tone for a more vigilant, accountable workforce: SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe Rethink your C-suite structure: It’s one thing to create a Chief Security or Information Security Officer role, but who that person reports to can influence your organization’s security approach. By letting your top security leader report directly to the CEO, they benefit from greater visibility into company operations and decision making. It also sends a clear message throughout the organization that cybersecurity isn’t isolated to the IT department. Prioritize end user literacy: Though many IT professionals feel their organizations’ employees have a solid grasp on security, research and real-life incidents tell a different story. Globally, more than half of organizations report that human error is a major contributor to security breaches and related incidents. The root problem is a lack of end-user awareness. “Cybersecurity 101” sessions during new employee onboarding aren’t enough to instill sound habits. Business leaders must demonstrate their buy-in for robust end user training — from ongoing e-learning courses to simulated phishing exercises — and back it up with the resources to fund it. Establish the right metrics: One of the biggest challenges to implementing new initiatives is overcoming the belief that current strategies and resources are “good enough.” IT and security executives can and should do more to ensure that their organizations’ defense protocol is rooted in facts, not feeling. Partnering with third-party experts, they can develop ways to gauge the efficacy of their current security efforts, and measure them against industry standards. Unite business and technology processes: Elevating cybersecurity to a department-agnostic issue goes beyond deploying data loss prevention or identity access management solutions. It involves formalizing new processes (and updating existing ones) through a combined business and IT lens. Risk and compliance management, new vendor selection and end user security training can’t be practices that IT departments outline and impose on their colleagues. Line of business leaders must be equally involved in shaping these policies to ensure they’re enforced and effective. Promote a new outlook for security spending: Security comprises a single slice of the IT budget, one business leaders historically viewed as something to be contained, investing only when necessary in times of real or looming crisis. Organizations striving to foster a culture of security need more proactive stances toward their strategy and spending. This means positioning cybersecurity as an investment opportunity, not a reluctant line item. Incentivize accountability: Rallying support for new policies and promoting cybersecurity awareness can easily be met with resistance and shoulder shrugs, so organizations must get creative. Offering perks for departments or teams that collectively participate in the most security education opportunities can motivate non-technical staff to take security seriously. Likewise, employees who offer new security ideas, or call attention to possible security flaws, should also receive company wide recognition to encourage similar initiative across the organization. Organizations are only as secure as their weakest password, governance process or end-user habit. When executives treat cybersecurity as a corporate principle rather than an IT duty, all employees have a reason to support the cause. Related content opinion Navigating the brave new world of decentralized IT As economic and competitive pressures push organizations toward more rapid product and service delivery, the ways organizations engage with technology u2013 and the people who support it u2013 are changing. By Todd Thibodeaux Aug 15, 2017 4 mins CIO IT Leadership opinion Cyber starts with skilled workers Simply put, we don't have enough cybersecurity pros to help keep us safe in the first place, and more swiftly mitigate the aftermath of these attacks. By Todd Thibodeaux Jul 07, 2017 5 mins Technology Industry IT Skills Cybercrime opinion A time-tested solution for a new challenge: How apprenticeships can close the cybersecurity skills gap The business community doesnu2019t need to wait for Washington. Apprenticeships are already proving to be a valuable tool to close the cybersecurity skills gap. By Todd Thibodeaux Jun 07, 2017 3 mins Careers opinion The state of the industry: the biggest regional tech trends of 2016 As the tech sector continues to mature, regional differences have become more pronounced, but some industry trends ignore geographic boundaries. By Todd Thibodeaux Apr 19, 2017 4 mins Technology Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe