Shoring up your organizational governance and awareness
Security breaches are happening more than ever, creating multimillion-dollar risks and exposing invaluable personal data. Estimates from around the globe show data breaches are up nearly 50 percent,1 and a study done for McAfee in 2014 by the Center for Strategic and International Studies estimated the global economic cost of these breaches at more than $445 billion.2 Organizations are working to both increase security awareness and build or improve cybersecurity functions to protect their organization’s intellectual property, confidential information, and employee, customer, and contractor data. They should also be aligning their organization culture and talent to protect their company’s and employees’ information assets.
Effective cybersecurity may be structurally defined in a business, but it is culturally driven. Organizations should work to change the mindset that cybersecurity is just an IT responsibility—it’s everyone’s responsibility and should be rigorously encouraged across the entire workforce. Employee awareness should the first line of both governance (ownership) of and defense of organizational security. By investing in cybersecurity training and awareness with all employees, company data breaches may be reduced (and in many cases prevented), and the likelihood of an effective response when a breach occurs will increase.
What can be done to align your culture toward a cybersecure mindset?
Beyond fostering cybersecurity, cultures with committed, engaged employees and shared beliefs can also see gains in other areas, such as productivity, profitability, and customer loyalty. Deloitte’s 2014 core beliefs and culture survey (Culture of purpose: Building business confidence; driving growth) reveals that “mission-driven” companies have 30 percent higher levels of innovation and 40 percent higher levels of retention, and they tend to be first or second in their market segment.
Building these qualities in your culture starts with identifying and assessing your organization’s cybersecurity values and then taking targeted action to cultivate cybersecurity via overarching governance and standardized, cross-department practices. The effort would typically include steps like leadership engagement and behavioral modeling, recognition and rewards, strategic communications, talent management, and training—a comprehensive, multi-point program to support and further cybersecurity.
A case in point: One organization’s response
Following the incident, the organization performed an assessment of its security capabilities, vulnerabilities, and workforce culture, and calculated the cost of the breach. Executives across the organization’s Security, Privacy and Human Resource divisions collaborated to execute the assessment and determine how the organization could benefit from an Information Security (InfoSec) program.
The need for improved security measures led to the development and implementation of a central InfoSec program for the entire organization, responsible for:
Thanks to this interdepartmental partnership, the organization has fostered a cyber-aware, cybersecurity-driven culture that makes better-informed information security decisions and exhibits safer behaviors throughout its workforce.
As used in this document, “Deloitte” means Deloitte Consulting LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.