This is the Year to Create a Cybersecurity Culture
Many of the cybersecurity predictions for 2022 are, well, predictable. Ransomware will continue to wreak havoc across different industries. Watch for attacks against critical infrastructure. Deep fakes will be used to spread disinformation in the upcoming midterm elections. And expect to hear a lot more about the metaverse and criminal activity.
But what all of these predictions point to is the need for a change in corporate cybersecurity culture. Company culture usually incorporates the things that leadership and employees value. It could be a flexible schedule that allows employees to adjust their workweek for better work/life balance or formal business attire required every day. If it results in high levels of productivity, it is in the company’s best interest.
Effective cybersecurity programs also rely on corporate culture. Cybersecurity should be something that everyone supports and strives for. However, Justine Fox, director of software engineering at Mastercard’s cybersecurity arm, NuData Security, pointed out in an email comment, “It is easy to build a culture in your organization around cybersecurity, but it is hard to create the right culture that aggregates a shared passion for achieving the desired outcome with the needed inclusive principles and team diversity that help organizations solve for one group and then extend the solution to work for everyone.”
The Burnout Factor
The problem is that employees don’t necessarily see a shared passion, and that’s leading to burnout. And burnout, according to a study from 1Password, leads to increased cybersecurity problems.
Cybersecurity professionals have struggled with burnout for years—the 1Password study put that number today at 84% of cybersecurity staff—but eight in ten of their co-workers are also feeling exhausted in the workplace. According to the report, 20% of those employees believe company security policies “aren’t worth the hassle,” and so they are taking the easy way out—using the same passwords across multiple applications or relying on shadow IT and personal application accounts not approved by the company to get their work done.
Someone has to take the lead to establish any kind of corporate culture. When trying to establish a cybersecurity culture, that lead would, most logically, come from the cybersecurity team. However, the 1Password study found that security pros are far more likely to ignore their own best practices and engage in risky digital activities at work compared to other workers at an organization.
The Work-From-Home Problem
Building a cybersecurity culture is especially tricky when employees are working remotely. As companies have dealt with two years of pandemic work-from-home issues, the vast majority of employees say it is time for their companies to rethink their cybersecurity culture, according to a study from SentryBay.
“While cybersecurity should be a priority for all enterprises, it can be a daunting prospect to specify and deploy the right solutions for the company’s specific needs,” Dave Waterson, CEO at SentryBay, said in a formal statement. “Culture change is often required, the knowledge and experience of security experts should be sought, but most importantly, endpoint devices—the most vulnerable element in the technology stack—need to be protected by proven software.”
More than half of respondents in this study thought the best way to institute culture change is to incorporate a zero-trust approach and many of the respondents indicated that change was needed in how the company approached their BYOD security policies. “BYOD offers enterprises huge capital expenditure savings, but these are worth nothing if adopting that model opens the organization up to the risk of a cyberattack,” said Waterson.
Why Cybersecurity Culture Will Shift in 2022
There will still be employee burnout in 2022 that will impact security approaches, and employees will continue to struggle to balance working from home and the use of personal devices while trying to protect corporate assets. But 2022 could be the year that cybersecurity culture becomes as valued as any other aspect of company culture because leadership finally sees how vital good cybersecurity is to everyday business operations. The C-suite and the board of directors are finally understanding the need for security best practices while threats are accelerating.
This is the year to build your cybersecurity culture, and at Predict 22, Keri Pearlson will offer insights on why the time to incorporate cybersecurity into your organization’s overall culture is now and tips on how to do just that.
