Implementing a safety culture from top to bottom

CULTIVATING a safety culture starts from the top down, with leadership serving as an example to all employees. Effective cybersecurity requires more than just technology and a well-trained IT staff; requires a safety culture that permeates the entire organization. However, such a culture can only be established and maintained through strong leadership. Without the active involvement of senior management, cybersecurity initiatives may fail, leaving the organization vulnerable to attacks.

We have previously explored a people-centric approach to tackling digital threats, as well as building a culture of awareness by empowering employees as the first line of defense. While it’s important to be aware of how we can help our IT departments and effectively train our employees in cyber awareness, it is ultimately our leaders’ responsibility to promote and support cybersecurity initiatives.

In the final part of this three-part series, we will explore the role that organizational leadership plays in cybersecurity.

Cybersecurity is a business problem that goes beyond the IT department. When chief executive officers (CEOs), board directors and senior executives take a hands-off approach to cybersecurity and hand over full responsibility to IT, it sends a message that security is not a priority. This can lead to a culture of complacency in which employees fail to recognize the importance of cybersecurity compliance.

Common symptoms of a lack of cybersecurity leadership include:

– Hands-free approach. If senior leaders are not actively engaged in cybersecurity, driving change and ensuring compliance across the organization becomes a challenge.

– Request exceptions. Employees can often ask for exceptions to cybersecurity policies, and if leaders do the same, it undermines the organization’s security posture.

– Revenue over safety. In some cases, employees prioritize customer service over cybersecurity compliance, especially when management prioritizes revenue over security.

For cybersecurity to be effective, governance and responsibility must be clearly defined and distributed throughout the organization, not just the responsibility of the IT department. This means establishing clear roles and responsibilities for every team, from management to the individual employee.

Here are some of the key players in managing your organization’s cybersecurity:

– Executive Leadership: Responsible for setting the tone and example for the rest of the organization. Leaders must actively engage in cybersecurity initiatives and demonstrate their commitment by adhering to the same policies and procedures expected of all employees.

– IT: Focuses on implementation, compliance, monitoring and innovation in cybersecurity practices. The IT department is responsible for ensuring the security of the technical infrastructure and the operation and enforcement of security policies.

– Knowledge Management: Develops and delivers security awareness programs that are connected and engaging, ensuring all employees understand their role in cybersecurity.

– HR/People and Culture: Deals with human resources aspects of cybersecurity, including addressing non-compliance issues and dispute management.

– Marketing and Communications: Creates and disseminates cybersecurity messages that are clear, engaging and easy to understand, ensuring cybersecurity remains top of mind for all employees.

– Employees: Everyone in the organization has a responsibility to follow cybersecurity policies and practices, recognizing that their actions can have a significant impact on the company’s security.

Effective cybersecurity leadership is not just about setting policies; it’s about leading by example. When senior leaders adhere to cybersecurity principles, it reinforces their importance and encourages others to follow suit. Conversely, when leaders bypass safety protocols, it sends a signal that these policies are flexible and can be ignored.

For example, if a CEO insists on using unsecured personal devices for work purposes, enforcing a company-wide “bring your own device” policy becomes a challenge. Leaders must be aware that their actions set standards for the entire organization.

Leadership must be actively involved in every aspect of cybersecurity, from management to employee training and incident response. By taking a proactive approach and making cybersecurity a priority in boardrooms, leaders can ensure that their organization is well-prepared to address current and emerging threats.

In any industry, especially those that store and process data, leadership commitment is crucial to ensuring a solid cybersecurity framework. Consider outsourcing cybersecurity experts to help your leadership team develop and implement a comprehensive cybersecurity strategy based on industry standards and frameworks that aligns with your business goals and helps protect your organization’s data and reputation.

As we conclude this series, it is important to remember that cybersecurity may appear to be an IT initiative, but the fundamental principles of success depend more on people: the ability to continuously ensure regulatory compliance; awareness of doing what is right; and striving to maintain regulatory compliance. It’s time to start building a people-centric cybersecurity strategy that protects your data and your business.

Leonard Duque is a director and chief information officer in the technology solutions group at P&A Grant Thornton. One of the leading audit, tax, advisory and outsourcing firms in the Philippines, P&A Grant Thornton consists of 29 partners and 1,500 employees. We’d love to hear from you! Connect with us on LinkedIn, like us on Facebook at P&A Grant Thornton and email your comments (email protected). More information can be found on our website at www.grantthornton.com.ph.