How to Build a Culture of Cyber Resiliency
Building a culture of cyber resiliency is what will set your organization up for success and help defend against cyber-attacks. In this blog, we will explain how you can create a culture of cyber resiliency and improve your organization’s risk maturity with insights from the Director of Alliances and Managed Services for Mariner, Zafar Muhammad.
Cyber resiliency can be described as the ability of organizations to respond and recover when they have been targeted in a cyber-attack. What sets a cyber resilient organization apart from others is how quickly and strongly they can come back from a cyber-attack or respond to a cyber threat. To be cyber resilient, your organization needs to value people, process and technology, and ensure that these three components become integral to your corporate culture.
People
When creating a culture of cyber resiliency, it is important that you do not forget the critical role your people play in protecting the organization. When people know what they need to do, and they continuously make cyber safe decisions, they will help you build a culture of cyber resiliency and improve the organization’s existing risk maturity.
“Risk maturity is important for an organization to build over time,” says Muhammad. “It does not happen immediately, but over a period of a few months or even years. And that cannot happen if everyone in the organization isn’t moving in the same direction or has the same goal. Building a culture of cybersecurity is hard, maintaining it is harder, and losing it is painful.”
To get everyone moving in the same direction with the same goal involves ensuring that training and awareness are taken seriously. Remedial or annual refresher training should be repeated at regular intervals so your people are up-to-date on the latest security trends, and know what to do when they encounter something that could be malicious. It is important to consider how people learn from security experiences and improve their overall cybersecurity posture to mitigate future attacks.
An organization’s reputation is built and destroyed if they do not follow this culture of cybersecurity and cyber resiliency. If the importance of cybersecurity is not communicated at all levels of the organization, it can have devastating effects.
As an example, the airline company, Boeing, has a very strong culture of security and safety. Although they stated that their culture is keeping safety paramount, this was not reinforced enough, and perhaps not reinforced throughout all levels of the organization. Unfortunately, this led to planes going down due to safety issues, and eventually their entire fleet of planes was grounded. But more than commercial damage, the reputational damage was immense. To this day, people remember the series of planes that were grounded due to safety issues. This reputational damage has become a part of popular culture with streaming services such as Netflix creating documentaries about it.
While Boeing may have put safety first, this was not reflected at all levels of the organization. This example reinforces the critical importance for organizations to ensure that security becomes a core part of their corporate culture.
“So if you do things right, and if you do things consistently enough throughout all levels of the organization, and you build this culture of cyber resiliency, then slowly but surely it gets ingrained in everybody’s conversations and way of doing things. Security is not something you do once a year to tick a box, it’s something that comes up in peoples’ regular conversations and activities,” says Muhammad.
To ingrain cybersecurity into an organization’s culture, it should be led by executives and leadership. It is important that leadership is seen as being involved in driving this culture because this is how real change occurs – from the top down. When this is done properly, you can effectively change people’s behaviour so that security becomes a part of their daily routine.
“When leaders put cybersecurity in their day-to-day conversations, and are continuously looking at what they can do to improve, it’s this kind of positive reinforcement that will drive organizational risk maturity and change. Everyone should know what the organization considers secure or safe behaviour,” says Muhammad.
Process
Cybersecurity should be built into organizational processes. It is not an initiative where the IT team mandates everyone to take a course, but rather a multi-step procedure where new concepts are introduced to employees and leadership. Once these concepts are introduced, the process of getting alignment and acceptance begins.
Acceptance and alignment are not always easy. A new way of conducting business can challenge established processes, and people generally do not like change. It can take time for them to adapt and get onboard, which is why it is so important that they see leadership as leading by example. Leadership needs to consistently drive this message home with their direct reports and reinforce it for everyone in the organization. People need to see that leadership is invested in building this culture, and it is their responsibility to reinforce positively this new process to change behaviour.
“Consistency is key. So once a new program is introduced, what happens after that? The analysis part is equally important, and that feedback needs to go all the way back to leadership. They need to make more investments if needed in additional training and ensure support of the program at all levels,” adds Muhammad.
Once the new process is in place, it is important to continue to review adoption and the success of the new way of conducting business. Time should be scheduled with key stakeholders and leadership to analyze areas of improvement and to celebrate successes. When the time is taken to celebrate and recognize good cyber behaviour, that behaviour is more likely to be repeated.
Technology
Technology is the final layer to building a culture of cyber resiliency, and it looks different for each organization and their specific needs. Larger organizations typically have larger in-house teams and more resources to engage cybersecurity experts to manage their infrastructure, cyber training program and policies.
For a smaller organization, they may not have the resources to invest in building proper cybersecurity plans or cybersecurity teams. Cybersecurity is a rare skillset that can be difficult to find and can be very costly to retain.
Change can be challenging for an organization of any size. But adaptable organizations thrive when they invest in a building a culture of cyber resiliency.
Mariner works with organizations to understand business outcomes and empower people with the capabilities and technology to deliver change that matters. We help you achieve sustainable, long-term success with your business transformation.
“When everyone has a common objective they are moving towards, the next step is sustainability, which is what Mariner excels at. Those metrics of sustainability, continued leadership involvement, continued delivery of education and awareness coupled with managed services ensures regular success criteria and that the program lives beyond implementation,” says Muhammad.
Becoming a cyber-resilient organization is not just a matter of security; it's a strategic imperative that can have a profound impact on your reputation, finances, and long-term success.
Safeguard your organization's future in an increasingly digital and interconnected world. Let’s connect!
About Mariner
Mariner innovates always and everywhere, turning novel ideas into practical solutions. From products and services to venture creation, we build better futures powered by people.
Our purpose has always been to be a great, everlasting technology company for those who make an impact - elevating people, data, and technology in the best way to solve hard problems.
We partner with people embracing change, leveraging data, cybersecurity, cloud, and change management to drive successful business outcomes that matter to our customers.
Mariners build for change. Like SHIFT Energy, our energy management and decarbonization company. Or East Valley Ventures, created to scale social economic impact in our communities through investment and mentorship of emerging change-makers and their companies.