Building a Culture of Cyber Resilience 

What does a cyber resilient company look like? How does it behave? Most organizations are cyber aware – that is, they're painfully conscious of the massive data breaches happening across the globe and in their industry. Cyber awareness does not equal cyber resilience, however. To bridge this gap, organizations must transition from a reactive posture to a proactive one. For example, a cyber resilient company doesn't just use tools to prevent data breaches – it also invests in a culture of cybersecurity so that employees understand the importance of cybersecurity and feel like they're an active part of a holistic strategy. Here's how a company can build a culture of cyber resilience.

Executive leadership must embrace cybersecurity as a business priority

According to the Global Cybersecurity Outlook 2022 report from the World Economic Forum and Accenture, 84% of respondents say cyber resilience is considered a business priority in their organization that has support and direction from leadership. Just 68% of them consider cyber resilience a major part of their organization's overall risk management strategy, though. Security leaders and IT professionals say that they are still not consulted in business decisions. That compromises their ability to spot or identify security risks, let alone help the organization make more secure business decisions.  Leaders set the tone for their organizations, shaping employees' attitudes in ways they may not always recognize. This is also true when it comes to creating a culture of cyber resilience. Although some leaders might perceive cybersecurity as a responsibility that rests mainly with the IT and security departments, it actually belongs to everyone in the organization – including the C-suite. Even without intending it, leaders can send the signal that cybersecurity takes a backseat to other business priorities.  This could be due to a perception that security gets in the way of achieving business goals instead of enabling them, or it might be because leaders don't fully appreciate the crucial role employee behavior plays in protecting the organization. When leaders inadvertently communicate that cybersecurity is a lower priority, however, employees notice – and they adjust their own priorities accordingly.  To begin moving the company from a cyber aware state to a cyber resilient position, the C-suite needs to champion the importance of cybersecurity with its actions as well as its words. To this end, executives should familiarize themselves with cybersecurity issues facing their organizations, understand the cyber resilience challenges their employees are grappling with, bring IT and security professionals to the table where business decisions are made, and promote good cybersecurity behaviors throughout the organization.  

Continuing cybersecurity education creates cyber resilience

One way leaders can foster a culture of cyber resilience is by making cybersecurity education a priority for the business. Although it's common to have one-off security awareness trainings at most organizations, a single session is not enough to build true cyber resilience. Cyber threats are constantly evolving, and it's essential to give employees the knowledge and confidence they need to keep up. Only this way can they do their part to protect themselves, the business, and its customers.  An organization's risk profile can change, as well – a perfect example of this is when many companies suddenly pivoted to a remote workforce model in the spring of 2020. When this happens, employees need fresh training on how to identify and handle the cybersecurity threats that the organization is most likely to encounter. For example, although all employees should learn how to secure every identity, including their work identity, this is especially true for people working from home. When the staff is fully up to date on how to stay secure at work, it's far less likely to fall prey to the next attack that arrives. Also, as some employees depart and new ones come aboard, the organization loses precious institutional knowledge about cybersecurity. With ongoing cybersecurity education, that knowledge remains in-house. Lastly, there's the message an organization sends to its employees when it requires them to participate in regular security awareness trainings. Rather than dismissing cybersecurity, they are likely to take it seriously and collectively contribute to a cyber resilient culture. And by regularly reporting on cybersecurity wins – for example, publicly sharing the number of attacks blocked – leaders can make sure that cyber resilience is not just everybody's responsibility, but everybody's victory, as well.

A cybersecurity strategy is essential for developing cyber resilience

Although this might sound obvious, every organization that wants to become cyber resilient must have a cybersecurity strategy. Without a defined strategy in place, no one will know what the company's cybersecurity strategy goals are, let alone how much progress it has made toward accomplishing them. For example, an organization should identify which business activities are essential, evaluate how they could be disrupted by a cyber attack, and develop a plan for mitigating those risks.  Without this crucial direction, employees will take away the message that the company does not consider cyber resilience an important goal and turn their attention to the many other priorities on their plates. The organization is also more likely to invest in specific technologies instead of encouraging secure employee behaviors, and it might well even end up investing in the wrong cybersecurity capabilities because it doesn't have an accurate understanding of its cybersecurity requirements. This is another area in which the C-suite can elevate cybersecurity to a top-level business priority and create a culture of cyber resilience, and it should be done in close collaboration with the IT and security teams. By actively partnering with them in the process instead of delegating it to them, leadership will have a far better chance of making informed business decisions and transitioning the organization from a reactive cybersecurity posture to a proactive one.  If a cybersecurity strategy is already in place, it's worth taking a fresh look to make sure it isn't out of date. It's also important to regularly test various components of a cybersecurity strategy, such as the incident response plan, to make sure they work as intended and achieve the expected outcome. It's also a good idea to make sure employees are fully aware of this cybersecurity strategy, why it exists, and what it does. This way, they can understand their role in supporting the strategy and potentially even contribute valuable feedback that makes it better.

Build a culture of cyber resilience

Plenty of organizations are cyber aware, but not nearly as many of them are actually cyber resilient. Transitioning from a reactive cybersecurity posture to a proactive one takes time, and it requires a serious commitment. To build a culture of cyber resilience, executives must embrace cybersecurity as a priority for the entire organization. They should also institute ongoing cybersecurity education that helps employees confidently identify and manage cybersecurity threats as they evolve. A cybersecurity strategy underpins it all, providing a shared goal and transparency about how much progress is being made toward it. By uniting the organization in this way, leaders can build a culture of cyber resilience. LastPass simplifies access management for companies of every size, with the tools your entire organization needs to secure your business and centralize control of employee passwords and apps. In addition to the increased security provided by our cloud-based password vaulting and single sign-on solution, LastPass increases employee productivity by removing the time lost in password resets. Join the more than 100,000 businesses worldwide who use LastPass Business to create, enforce, and measure a meaningful access management policy. Visit www.lastpass.com to start your free trial today.