The report “Narrowing The Culture Gap For Better Business Results” from ISACA and CMMI Institute shows there is a huge gap between companies’ current and desired organizational culture of cybersecurity. Only 5% of the global survey respondents disagree with this statement, finding their level of cyberprotection satisfying, according to ISACA’s press release.
More than 4,800 business and technology professionals took part in a global research study, conducted by ISACA and CMMI Institute and held in June 2018 via online polling. Results were released at ISACA’s CSX North America cybersecurity conference in Las Vegas this week.
According to the report, cybersecurity should not be responsibility solely of strategic executive leaders, but to every employee as well. It should incorporated in everyone’s daily operations and become a habit. Therefore, prioritizing investment in training can be a meaningful driver of strong cybersecurity culture. Other steps that can lead to heightened awareness and improved culture are annually measuring and assessing employee views on cybersecurity.
This “all-hands-on-deck” approach to counter cyberattack threats needs to be developed, since just 34% of respondents say they understand their role in their organizations’ cyber culture.
Doug Grindstaff II, SVP of Cybersecurity Solutions at CMMI Institute comments the results:
“We are hearing a lot of feedback about how organizations can move the needle on employee involvement. It’s challenging, but organizations are rightly concerned by the growing sophistication of cyberattacks.”
The concerning results also show that only 7% of respondents think that the health of their organization’s cybersecurity culture is excellent. In such organizations, which have yet to establish an effective cyberculture, 58% find a corresponding lack of a clear management plan or KPIs. Organizations with a weak cybersecurity culture become more vulnerable to:
- Cyber breaches
- Missed business opportunities
- Data loss
- Poor customer retention
- Regulatory penalties
Steven J. Ross, executive principle of Risk Masters International and author of Creating a Culture of Security, is cited in the report:
“Most people do not enjoy being told what they cannot do, even if they know they should not do those things. When security is framed as trust, consistency, reliability, predictability and productivity, it becomes easier to enlist others in a culture-strengthening exercise.”
In order to be realistic, every benefit comes with its cost. In this study, organizations that report a significant gap between their current and desired cultural state are spending 19% of their annual cybersecurity budget on training and other tools. In sharp contrast, those firms reporting “no gap” in their desired cybersecurity culture are spending more than twice as much – 43%.
However, researchers claim that it’s not all about money. ISACA Board Chair Rob
Clyde believes that greater organizational communication is needed to discuss attempted threats and ongoing risks. Many do not share this information, fearing reputational damage.
“Individuals tend to underestimate the potential damage and overestimate technology’s ability to limit such incidents. Doing so puts their organizations at serious risk”,” says Clyde.
He also outlines lack of awareness about the attempted threats and ongoing risks, as well as a lack of awareness about the assets at risk to cybersecurity threats as factors behind the seemingly illogical delay in investing in their cybersecurity culture strategy.
You can find the whole report “Narrowing The Culture Gap For Better Business Results” here.