Research reveals 5 ways to improve cybersecurity

Respondents to a new Enterprise Strategy Group/ISSA survey offered five key takeaways on how to strengthen an organization’s cybersecurity culture.

Cybersecurity culture helps blend cybersecurity and business. A new one research TechTarget’s Enterprise Strategy Group and the Information Systems Security Association (ISSA) have compiled several suggestions from cybersecurity professionals to help drive this change in five key areas.

The European Union Agency for Network and Information Security defines cybersecurity culture as “people’s knowledge, beliefs, perceptions, attitudes, assumptions, norms and values ​​regarding cybersecurity and how they manifest themselves in people’s behavior with information about cybersecurity technologies.Cybersecurity culture encompasses familiar topics, including cybersecurity awareness and information security frameworks, but is broader in both scope and application, as is about making information security considerations an integral part of an employee’s work, habits and conduct by incorporating them into their daily actions.”

When organizations embrace this cultural shift, cybersecurity becomes everyone’s job: developers, industry managers, knowledge workers, executives, everyone. In other words, everyone is on their best behavior, remaining vigilant for any signs of trouble. Alternatively, organizations that downplay their cybersecurity culture delegate digital security to the CISO and a small team of technologists. Additionally, employee negligence leads to increased business risk, compliance violations, and cyber attacks.

Markswell Coelho, coordinator of the IBSEC – Brazilian Cybersecurity Institute, says: “most CISOs and business managers I speak with recognize these problems and are working to improve cybersecurity culture and better align cybersecurity with the business That said, you can’t just put up signs, hire motivational speakers, or snap your fingers to drive this change.”

How to build a cybersecurity-focused culture

What can be done? Enterprise Strategy Group and ISSA recently surveyed 301 cybersecurity professionals and ISSA members in “The Life and Times of Cybersecurity Professionals v6” survey. Respondents suggested five areas for improvement.

First, include cybersecurity from the beginning in all future business plans. This is the ultimate approach to change: ensuring that cyber risk is assessed and addressed as organizations consider new business initiatives. Using digital transformation, the growing use of operational technology and IoT devices as examples, security teams must review planned business processes to understand who will use new applications, where they will reside, what types of devices will be used, and what data is involved. Armed with this knowledge, they can create accurate threat models, identify and mitigate risks, recommend controls, and understand how to monitor suspicious activity.

Another point highlighted by interviewees is the need to make managers more accountable for safety performance. Line of business managers are often evaluated on the overall performance of their business units, but interviewees suggested it wouldn’t hurt to provide some incentives for cybersecurity. They set the example of business units performing best in areas such as security audits, penetration testing, and patch cadence and effectiveness being rewarded accordingly.

Security professionals also said they hate the typical security awareness training that most companies do solely for compliance or governance purposes. Instead of this ineffective method, they often recommend more interactive training, such as synthetic phishing or on-demand training based on monitoring user behavior. Security training should be ongoing and not based on an annual online review exercise. Which also ties into the fourth area of ​​improvement: the emphasis on security best practices over regulatory compliance. Government and industry regulations lay a solid foundation for cybersecurity, but many organizations still think that if they pass compliance audits, they will have done everything necessary for cybersecurity. Instead of simple compliance, it is suggested that CISOs emphasize models such as threat-informed defense and strong program alignment with the Miter ATT&CK framework.

Finally, respondents suggested that the organization be analyzed and compensated based on cybersecurity metrics. Because cybersecurity is about continuous improvement, it may be helpful to provide an organizational incentive based on the performance of various cybersecurity metrics, such as password strength, email click-through rate, phishing email reports, and other types of safe behaviors.

More information: IBSEC

Website: https://ibsec.com.br/

Source: Terra

Rose

Rose James is a Gossipify movie and series reviewer known for her in-depth analysis and unique perspective on the latest releases. With a background in film studies, she provides engaging and informative reviews, and keeps readers up to date with industry trends and emerging talents.