Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • Combating Risk Negligence Using Cybersecurity Culture
  • Data Breach
  • Vulnerabilities

Combating Risk Negligence Using Cybersecurity Culture

5 years ago Tripwire Guest Authors
Combating Risk Negligence Using Cybersecurity Culture

With a growing number of threat sources and successful cybersecurity attacks, organizations find themselves in a tricky spot if they wish to survive cyberspace. Oftentimes, the adversaries are not the challenge; the obstacle is the organization’s culture. Just like culture influences who we are as a people, culture influences the cybersecurity tone of an organization. Every organization has its own unique fit and feel. Unfortunately, the fit and feel of an organization’s culture is not always positive.

With the understanding that cybersecurity is still a relatively new concept to many, people and organizations often fail to see cybersecurity as an enabler of business objectives. Instead, cybersecurity is often thought of as a roadblock, prohibiting the organization from reaching its goals. This negative perception of cybersecurity results in business units avoiding cybersecurity or finding ways to circumvent it. With that said, aligning security with risk management frequently leads to higher acceptance amongst the organization.

The Perception of Cybersecurity

Many organizations place a greater emphasis on technology, leaving the human aspects of cybersecurity to be overlooked. Therefore, its crucial to place a stronger focus on culture. Establishing a cybersecurity culture can influence risk-based decisions and create the perception that security is a benefit to the business rather than an obstacle. Although organizations work diligently to improve cybersecurity awareness, network defense and threat detection, the greatest protection may originate from an effective risk-based cybersecurity culture.

Each member of the organization contributes to the cybersecurity culture in some way. The concept of cybersecurity culture is based on knowledge, perceptions, views and how they manifest themselves in human behavior with technology. Ultimately, the purpose of a cybersecurity culture is to create an optimized social and psychological framework to support cybersecurity initiatives that are aligned to the strategic mission and business objectives.

Cybersecurity and Risk Management

It should be noted that forming a cybersecurity culture alone does not fix the people problem in an organization. For the cybersecurity culture to be effective, the culture should have a strong focus on risk management. Risk management should drive all security initiatives within the organization. The alignment between cybersecurity and risk management supports the identification of the adverse impact of operational dynamics and difficulties in both communicating a clear understanding to stakeholders as well as assessing the potential damages to the organization.

Cybersecurity should be included in the organization’s enterprise risk management (ERM) program. ERM allows leaders and boards to frame the organization’s risk appetites and positions. Attributes of highly regarded organizations include an influential culture that supports and optimizes strategic objectives and the use of policies and procedures to facilitate decision management for internal and external risks. Through the establishment of a common language for risk and repetition across various communication channels, a risk-aware cybersecurity culture can be developed.

Establishing a Risk-Based Approach

Many organizations are not risk-driven. A number of organizations have succumbed to a “check-the-box compliance” mindset in which security initiatives are focused on passing audits instead of achieving proportional levels of security. Check-box security can lead to adverse impacts on the organization. Purely compliance-based approaches to cybersecurity are no longer adequate. Risk-based approaches to cybersecurity are better suited to address the dynamic threat landscape. Cyber threats are not static, so the approach to address them should not be, either.

Compliance and regulatory requirements are often slow to react to the ever-evolving threat environment. A risk-based approach allows organizations to change their perspective to address emerging risks as they are identified. Essentially, risk-based approaches provide a faster rate of response for risks. However, a risk-based approach is not ideal for organizations that are immature or do not have the capability to implement it. Organizations must identify their capabilities and maturity levels as well as identify gaps in their culture.

A Hybrid Theory

Risk and compliance can support each other. Compliance-based security provides some advantages. Compliance-based security provides the ability for a cybersecurity professional to measure security controls objectively. It is more difficult for an assessor to ensure that adequate security controls are implemented in a risk-based environment.

When framing the risks, one needs to understand that it is challenging to conduct an objective risk assessment, as people are influenced by their own skills, knowledge, experiences and perceptions. An underlying compliance structure should exist to ensure that the minimum-security requirements can be implemented and audited. However, when the cost of a security compliance initiative outweighs the potential impact to the organization, the risk should be accepted.

Compliance and risk management are essential, and merging both functions will benefit the organization. Compliance-based security is the starting point for security; it helps to ensure that organizations adhere to the minimum set of requirements. Compliance should not be mistaken as the objective of cybersecurity. The use of risk management considerations can build on compliance-based security and optimize the organization’s security posture better than a compliance-based approach alone.

Summary

Cybersecurity is a growing challenge for many organizations. Each unique organization has its own cybersecurity objectives, constraints and other considerations. Organizations must realize that cybersecurity culture can ultimately make or break the organization. The influence that employees have on the state of cybersecurity in an organization is often a reflection of senior management. Considering the relationship between risk management and cybersecurity, senior management must decide whether to form a risk-based cybersecurity culture before establishing technology and processes. As organizations progress through cyberspace, risk-based decisions and senior management support is required to achieve cyber resiliency and promote the achievement of organizational strategic objectives.

About the Author: Hunter Sekara is an IT Security specialist for SiloSmashers, Inc. Hunter works closely with executives and organization officials to securely achieve business objectives. He currently holds both undergraduate and graduate degrees in Cybersecurity as well as several industry certifications including CISSP, CISM, CISA and CRISC. You can follow Hunter on Twitter here.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

The post ” Combating Risk Negligence Using Cybersecurity Culture” appeared first on TripWire

Source:TripWire – Tripwire Guest Authors

Tags: Encryption, Medium Severity, TripWire, Vulnerability

Continue Reading

Previous SAP Stomps Out Critical RCE Flaw in Manufacturing Software
Next Critical Pre-Auth RCE Flaw Found in F5 Big-IP Platform — Patch ASAP!

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

1 hour ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models

12 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files

13 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns

16 hours ago [email protected] (The Hacker News)
  • Data Breach

Orchid Security Introduces Continuous Identity Observability for Enterprise Applications

18 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

The First 90 Seconds: How Early Decisions Shape Incident Response Investigations

20 hours ago [email protected] (The Hacker News)

Recent Posts

  • Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign
  • Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models
  • DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files
  • China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns
  • Orchid Security Introduces Continuous Identity Observability for Enterprise Applications

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT