How To Embed a Cybersecurity-First Culture Within Your Organization

By now you’ve heard the phrase “every company is a tech company.” Even bakeries, banks and bicycle shops need technology—and to understand technology—in order to run their business. We’re beyond that now. Today, we’re approaching a point where every company should be a security-first company. At the very least, that means understanding and managing risk tolerance. But they’re not there yet and they need MSPs to help guide them to get there.

“We all need to work together,” said Dave Alton, CTO at Strategic Information Resources. “I think most organizations think that having security awareness training is enough, but it isn’t. We need to shift away from placing blame for a security incident to creating opportunities for learning and having conversations around when the worst happens. Having a champion whose sole purpose is to raise awareness and stay in front of cyber threats is critical for successful mitigation.”

Security has to be a primary directive within any organization, and it needs buy-in from top to bottom because it’s a business problem, not a technology problem. Getting your company there (as well as your customers) can be a challenge, but it’s also a necessity. To help, CompTIA enlisted a panel of cybersecurity leaders to develop Embedding Cybersecurity Into Your Culture, a guide for MSPs that provides advice, steps and processes to make sure your business has a cyber-first mindset.

“There’s a lot of benefits to embedding a cyber-first culture, including less or smaller scoped breaches, protection of one’s reputation and avoidance of unplanned security incident costs,” Alton said. “But I think the most important thing to get across is that it is a team effort for everyone to get behind. It raises the maturity of any organization that is serious about this and should lower overall costs day to day.”

Organizations may not understand cybersecurity or see it as a secondary priority or simply something they need to check off on a list, according to Gema Pérez Cortés, cyber risk and compliance lead at Capgemini Engineering.

“On one hand, implementing cybersecurity from scratch may feel overwhelming, but on the other hand, not everyone understands that it's not only a matter of investing money—since money will not solve the problem—but also investing time and effort on a cultural change in the organization to make sure cybersecurity is a top priority,” Cortés said.

Download Now: Embedding Cybersecurity Into Your Culture

Cybersecurity Is Everyone’s Job

The goal of the guide isn’t to change a company’s existing culture, the cyber leaders said. Rather, it’s to leverage your existing culture and deepen it with more security-first policies and processes—embedding them until they are ingrained across the organization.

“Use your existing culture and deepen it to help with being a security-first organization. Security shouldn’t be an afterthought ever. When I worked in the non-profit space it was everyone’s job to help the company fundraise. Security isn’t any different, everyone is part of the security team,” Alton said.

Embracing a cyber-first mindset helps ensure that cybersecurity is implanted by design into an organization’s processes, which drastically reduces risks and increases employees’ buy-in, according to Cortés.

“We cannot always prevent human errors by implementing more controls, but if our company has a cyber-first mindset, employees will more easily recognize threats and risk and act as ambassadors to spread their knowledge and help other colleagues and clients naturally,” she said.

Download Now: Embedding Cybersecurity Into Your Culture

Never Stop Learning—or Adjusting

CompTIA’s cybersecurity team approached a select group of members to help develop the guide. The group collaborated over an eight-week period to compile the content that’s included. Several members said the process was helpful to them because—even though they’re considered security leaders—there’s still a lot you can learn.

“The process of helping develop this document in conjunction with CompTIA and the other members was eye opening,” Alton said. “From better understanding of tabletop exercises to really thinking outside the box of how culture can support and raise security awareness.”

Added Cortés, “I've worked on information security training and awareness for years and I've often seen clients wanting to create a new whole image for cybersecurity: A new logo, a mascot, even a different look and feel for cybersecurity-related topics. This is a great idea that helps employees easily recognize the topic when it's mentioned in the company. However, only those organizations that really understand the values and culture of the organization manage to integrate cybersecurity successfully.”

In addition to the guide, the cyber leaders offered some additional advice for MSPs and other tech companies on how to shore up their defenses.

“I would suggest having a clear understanding of why you are doing it and why it's an essential part of the business,” Cortés said. “You want to embed cybersecurity into your company’s culture, not the other way around.”

Added Alton, “Stop looking at it as a cost. Look at it as a competitive advantage and one where your existing culture shines through.”