By Shambhulingayya Aralelemath
An enterprise can encourage and build security as a culture among its employees with well-established knowledge base, processes, policies, and values that helps employees view cybersecurity as an integral part of their day-to-day responsibilities.
With the high-paced adoption of digital transformation, enterprises need to continuously reform the security culture in response to the changing attack surfaces and threats. A well-defined security framework should enable the enterprise to identify, protect, detect, respond, and demonstrate resilience to cyber incidents and attacks. However, enterprise security policies are seen only as guidelines and not mandatory rules. Merely deploying technology controls without considering their integration and correlation to the threat landscape cannot protect an enterprise. Enterprises need to enable and enforce a change in security mindset, encourage security awareness, and continue to develop a fabric of security culture aligned with the overall risk-aware ecosystem of the enterprise.
Implementing a cybersecurity-aware ecosystem requires a well-considered approach, with participation from all sections of employees and sponsorship from the senior leadership, including the board members. This should converge into weaving a fabric of trust within the enterprise with a common understanding and adoption of cybersecurity policies, processes, and standards by all stakeholders, corresponding to their roles and responsibilities vis-à-vis strengthening the defense against cyber-attacks. While there is no silver bullet to unilaterally define the approach for adopting security as a culture paradigm across business segments, the most common steps that should be considered in defining the cybersecurity framework are:
Establishing cybersecurity awareness champions: A working group must be formed to define the cybersecurity culture policy and approach for rollout of initiatives to improve security awareness. It must consider the feedback and level of security maturity across the diversified cross section of employees. The group should prepare required data sets for alignment with senior leadership and execute an evidence-based approach for adoption of security awareness initiatives.
Understanding of enterprise culture and risks: Understanding the existing security awareness initiatives, processes, and standards reduces resistance to the adoption of a security culture and helps push it as an enabler for the business.
Gap analysis between the current state and target state of adoption: An enterprise must have visibility of its landscape, security controls, and maturity. A gap analysis and diagnosis of the current state help identify cybersecurity functions (with and without interventions) to bring uniform applicability across the enterprise. For example, diagnosis of the current state of use of privileged credentials and how such credentials can be secured to alleviate the risk of privileged access compromises due to prevalent attack vectors.
Defining outcomes for success in the target state of security culture: The security culture requires a clear outlining of the key objectives and success criteria in assessing the success of its adoption. The objectives must align with the trends in cybersecurity attacks and the enterprise’s need to address the most immediate threats with planned initiatives. For example, adequate employee awareness and use of controls can address phishing attacks, credential compromise, and data breaches.
Define and execute program objectives to achieve the target state of adoption: Assess the impact of the cybersecurity framework on the identified target state. One must prioritize the tasks and plan for execution to achieve the desired outcomes. The program objectives must align with the leadership mandates and the target state can be mapped to a best path execution plan. For example, scheduling of security awareness trainings, conducting webinars on latest cybersecurity trends, observing events such as world password day, cybersecurity month, and more.
Leverage technology trends and AI in improving strength of security posture: Enterprises should adopt principles of shift-left, secure by design, and other technological measures in mapping their enterprise security architecture to the applicable regulatory standards. Adoption of AI-led technologies amplify the security posture across cyber domains and help identify any abnormal deviations quickly. For example, enabling the enterprise for secure adoption of ChatGPT with focus on data protection and IP protection.
Continued evaluation and insights to improve the approach: Identify the metrics for the defined outcomes and its impact on strengthening the cybersecurity enablement framework. Such metrics also provide insights into corrections required for the defined objective or the execution plan or both. Evaluation helps in providing close loop insights into the initiatives executed for universal adoption of security as culture within the enterprise.
Following a well-defined approach helps enterprise enable, encourage, and enforce the adoption of security as culture. This is a continuous process and requires top-down sponsorship from the board level and bottom-up adoption across business units to ensure universal adoption. The strength of security culture enables enterprise functionaries to leverage the tools, knowledge, trainings, and skills in adopting a security-first approach and proactively secure the enterprise from the emerging cyber threats.
ABOUT AUTHOR:
Shambhulingayya Aralelemath, Associate Vice President and Global Delivery Head, Cybersecurity, Infosys
Shambhulingayya Aralelemath (Shambhu) is the Global Delivery head of the Cybersecurity Practice at Infosys. He has expertise in information technology and cybersecurity across various industries. Shambhu has been leading new offering initiatives, presales solutions, Cyber Next platform engineering, strategic partnership, and alliances at Infosys, and the views expressed in this article are his own
