By James Taylor, Strategic Development Manager, UK and Ireland, for Nuvias
If only I could manufacture a ‘Security Culture’ solution, package it and market it, I would have the most effective security product on sale today. Engendering a strong awareness and commitment to cybersecurity within an organisation is critical, yet still sadly neglected by many.
Most of my presentations today start with the question “What is the Board’s appetite for resolving your security issues?” This is usually followed up with “What have you done to help yourselves?”
The responses vary, yet it is still surprising just how many boards seem completely unaware of the positive impact they could play in encouraging and improving security in their organisations. Allow me to suggest the following an organisation’s security is significantly elevated when a privacy and security culture is present. The advice from all the leading authorities is clear. The National Cyber Security Centre (NCSC) for example, advises focus on Risk Management Regime:
‘Assess the risks to your organisation’s information and systems with the same vigour you would for legal, regulatory, financial or operational risks. To achieve this, embed a Risk Management Regime across your organisation, supported by the Board and senior managers’.
Having recently attended a privacy and security conference with a deep desire to discover fresh tools and techniques to assist organisations obtain optimum security levels, the two key takeaways from the event were not technology driven. They were the current low level of a security culture within organisations; and the importance of trust. It was rather refreshing to know that I am on a similar page on how to achieve privacy and security as some of the presenters at the conference.
Despite the risk management advice above from the NCSC having been available for quite some time, one statistic presented to the privacy and security conference delegates was very interesting. It stated that only just over a quarter of the Top 100 companies in the UK make any mention of privacy and security in their corporate social responsibilities publications. A surprising statistic. The best security advice we can give an organisation is freely achievable yet 75% of companies are not clearly communicating their privacy and security policies internally.
The other key takeaway was trust. The presentation gave some interesting statistics on trust and how consumers react when we trust a brand and what happens when we don’t. Guess what? Predictably, a trustworthy brand makes for a far more positive relationship with its customers. Trust must be earned. We can build trust, we can demonstrate a commitment to trust but the foundation must be an active privacy and security culture.
Whilst GDPR generated a lot of FUD in the security industry, perhaps it is the catalyst to encourage us to get our house in order. By applying some basic principles of security awareness and commitment, we have a golden opportunity to not only improve our security position, but possibly to give ourselves a key market differentiator that consumers will appreciate over the competition.
Now, if only I could bottle that Security Culture! There’s a ready-made market out there.