Let’s face it, technology alone is not enough to protect against ever-evolving cyber threats. Effective cybersecurity requires strong leadership. Leadership must foster a culture of security, make informed strategic decisions, and guide organisations through the complexities of the digital landscape.
By CG Selva Ganesh, vice-president and CEO South Africa at In2IT Technologies
Yet, the role of leadership in building a security-conscious organisation is not technical either, as cybersecurity goes beyond the technical complexities and includes people, processes, and strategies.
It all comes down to the leaders setting the tone and strategy for how an organisation should handle cybersecurity, making it, not just a technical function but a strategic imperative.
Unsurprisingly, leaders need to lead by example. This includes prioritising investments in security initiatives, like zero trust, which is not an off-the-shelf solution. Prioritising investments also means partnering with specialised companies to implement the required security architecture and frameworks in depth.
At the same time, empowering people is crucial, and leaders need to focus on training and empowering their employees to be security-conscious and follow best practices. Simply put, the leadership’s role is to drive the overall security strategy, prioritise the necessary investments, and empower the organisation’s people to be active participants in maintaining a security-conscious culture.
Driving a culture of security
Something as simple as improperly disposing of paper documents, which may have security implications, encapsulates the crucial role of leadership in driving a culture of security within an organisation. If an employee throws a document in the trash, a hacker could retrieve sensitive information.
Furthermore, there are often employees within the organisation who still use legacy systems, and insecure practices, like storing passwords on sticky notes on their desks. These employees may need to be trained to understand why this is a security risk.
The solution is to empower and train all the employees, regardless of their role, to be active participants in maintaining a security-conscious culture within your organisation. By educating them on security best practices, they can become more security-conscious and avoid risky behaviours.
Additionally, security policies and compliance requirements must be clearly defined and communicated regularly with the entire organisation. This helps ensure everyone understands the security standards they should follow.
I also emphasise the importance of having clear and well-defined Information Security Policies (ISPs) within an organisation. These policies need to be comprehensive and consistently applied across the entire organisation.
For example, if the organisation introduces a new application, it should not be allowed to be deployed unless it meets the Multi-Factor Authentication (MFA) requirements in the ISP. Thus, these policies should act as gatekeepers to ensure security standards are consistently being met.
Regular audits
Furthermore, we must not overlook the need for regular security audits. These audits should check if applications and systems “tick all the boxes” in terms of the security requirements outlined in an organisation’s ISP.
Another crucial point is the importance of fostering collaboration, both within the organisation and externally. Leaders must be intentional about investing in initiatives that bring together security champions in organisation. This allows them to stay informed about the latest trends and empower each other on the necessary security measures.
Lastly, I would like to emphasise the need for continuous improvement, which allows organisations to build on processes such as ongoing zero-trust strategies and the need for regular assessment and adaptation to constantly monitor and correct security posture.
Leadership in cybersecurity is about more than just understanding the technical aspects; it’s about setting the right vision, instilling best practices, and ensuring that every member of the organisation is engaged in the mission of protecting sensitive data and systems.