Building a resilient future: Importance of establishing a strong cybersecurity culture

In today's rapidly evolving digital landscape, the establishment of a strong cybersecurity culture is of paramount importance for building a resilient future. Cybersecurity culture refers to the collective commitment within an organization to prioritize and value the safeguarding of digital assets and Information Technology (IT) infrastructure. It goes beyond a mere set of rules; it represents a mindset or a core belief system that views cybersecurity as an integral part of the overall business strategy. Jay Bavisi, President and CEO, EC-Council Group recently spoke to Dataquest along the same lines.

DQ: What is cybersecurity culture, and why is it important for organizations to foster such a culture?

Jay Bavisi: Cybersecurity culture refers to the collective commitment within an organization to prioritize and value the safeguarding of digital assets and Information Technology (IT) infrastructure. It encompasses more than a mere set of rules; it represents a mindset or a core belief system that views cybersecurity as an integral part of the overall business strategy of an organization.

For modern organizations, establishing a robust cybersecurity culture is of paramount importance. Statistics emphasize the critical role of a cybersecurity culture in maintaining a secure environment. According to the 2023 Data Breach Investigations Report, the human element contributed to 74% of the data breaches, mainly involving social engineering attacks, errors, or misuse. This statistic underscores the urgent need for an organization to build a culture that places high value on cybersecurity and prioritizes its implementation rather than seeing it as an impediment.

According to the EC-Council's Certified CISO Hall of Fame 2023 Report, the increasing reliance on cloud services has become a significant concern for information security leaders. It is crucial for organizations to implement strong security frameworks and have skilled cybersecurity professionals to effectively address emerging threats. As businesses utilize a multitude of cloud services, their vulnerability to potential risks increases. On average, enterprises rely on approximately 1,295 cloud services. This figure indicates the substantial threat cloud security risks pose to businesses. Hence, it is even more important for organizations to embrace the development, adoption, and implementation of an organization-wide cybersecurity culture.

Compliance is another key factor. Noncompliance with regulatory requirements may result in penalties and loss of consumer trust. The latter is harder to quantify but arguably more damaging to an organization. An effective cybersecurity culture also contributes to business continuity. Many businesses have experienced IT downtime or severe service disruption in the past few years due to cyber incidents. A strong cybersecurity culture can mitigate these risks and ensure smoother operations.

Post-COVID, work culture has undergone significant changes, shifting toward digital ecosystems and remote work becoming the new norm. While this transition has led to increased productivity, it has also introduced massive security challenges. Protecting access to resources has become crucial, making access management a vital aspect of maintaining workplace security in the modern era. Again, none of this can be long-lasting or effective without an organizational cybersecurity culture.

DQ: What role does cybersecurity education play in shaping cybersecurity culture in organizations, and how can it be integrated into an organization's overall security strategy?

Jay Bavisi: Cybersecurity education plays a vital role in shaping cybersecurity culture within organizations and can be integrated into the overall security strategy in several ways. While security training has limitations in addressing broader organizational factors, a comprehensive approach that includes robust cybersecurity education can bridge the gap.

Adopting a more comprehensive approach that includes robust cybersecurity training and education is essential to address this limitation. This approach should aim to foster a cybersecurity culture within organizations and implement security solutions, such as access management, to mitigate risks related to human factors.

By incorporating cybersecurity education, employees' awareness of cybersecurity threats can be heightened, emphasizing the significance of their role in combating these threats. This, in turn, can reduce instances of human error and promote a sense of collective responsibility, ultimately strengthening the organization's overall security posture.

Integrating education into an organization's security strategy involves providing continuous, practical, and role-specific training. It requires strong support from management, integration into organizational policies, and the implementation of incentive systems to reinforce secure behavior. Therefore, cybersecurity education not only shapes the cybersecurity culture but also serves as a strategic tool for enhancing the overall security of the organization.

DQ: Some of the biggest challenges organizations face when it comes to promoting a cybersecurity culture, and how can these challenges be addressed through education and training?

Jay Bavisi: Promoting cybersecurity culture within organizations is indeed a multifaceted challenge. It requires a combination of education, training, and strategic initiatives to address the evolving landscape of cyber threats. The focus of cybercriminals has shifted to social engineering tactics, such as phishing, smishing, and vishing, to manipulate people into revealing sensitive information. This can only be addressed with effective security awareness training.

One of the main challenges organizations faces is that many employees lack a fundamental understanding and awareness of the online threats they face. They may not be familiar with the necessary behaviors to mitigate these risks. This lack of knowledge can be bridged through various educational initiatives. Regular sessions, workshops, and webinars can be organized to raise awareness about different cybersecurity aspects like phishing, password security, and the safe use of public Wi-Fi. To enhance engagement and comprehension, gamification techniques can be employed during training programs.

However, even with increased awareness and training, the risk of human error remains significant. Employees can make mistakes or engage in intentional misconduct that compromises cybersecurity. Regular training efforts can help mitigate this risk by instilling good cybersecurity habits. Additionally, fostering a no-blame culture is crucial, as it encourages employees to report mistakes and facilitates learning from them rather than concealing them.

Resistance to change is another major challenge in cultivating a cybersecurity culture. People often resist change, especially if it requires extra effort or disrupts their usual workflow. In such cases, leadership buy-in and involvement are vital in driving cultural change. When leaders demonstrate the relevance and impact of cybersecurity on employees' personal lives, not just their work, it can foster a greater sense of importance and personal investment.

Furthermore, organizations often struggle to provide adequate resources for cybersecurity training due to budget constraints or a lack of available expertise. To overcome this challenge, partnerships with cybersecurity training organizations, online training platforms, or hiring dedicated cybersecurity educators can provide cost-effective solutions.

Ultimately, promoting a cybersecurity culture requires making cybersecurity a part of the organization's overall culture. Ongoing education and training should be at the core of these efforts, accompanied by a shift in attitudes and behaviors. By addressing the challenges through education, training, leadership involvement, resource allocation, and fostering a no-blame culture, organizations can better protect individuals and secure their systems in the expanding realm of cybersecurity.

DQ: How can organizations ensure that all employees, regardless of their role or level of technical expertise, receive adequate cybersecurity education and training?

Jay Bavisi: Establishing effective cybersecurity education across an organization involves baseline training for all, complemented by role-specific sessions. The learning material should be in plain language to ensure understanding regardless of technical expertise and delivered through various methods to cater to different learning styles. Training should be ongoing, not a one-off event, with regular updates and practical exercises like simulated cyber-attacks. Importantly, fostering a cybersecurity culture from leadership down is key, with opportunities for further self-learning and a feedback loop to improve training effectiveness over time.

DQ: Can you provide an overview of EC-Council and its role in the cybersecurity industry?

Jay Bavisi: Since its establishment in 2001 in response to the tragic 9/11 attacks, EC-Council has been dedicated to developing advanced cybersecurity training and certification programs to counter potential cyberthreats. The aim was to equip the information security community with the necessary tools to respond to a potential cyber equivalent of 9/11, which was lacking at that time. We have been leading the charge in cybersecurity certification and training in 150 countries, and today, we are proud to have a strong network of over 350,000 certified members, more than 2700 training and education partners, over 2000 certified instructors, and around 350 subject matter experts. 

In 2003, we took the lead in cybersecurity training and education by launching the Certified Ethical Hacker (C|EH) certification. Even as many people face job losses today, many C|EH professionals earn salaries three times the average. Continuing our efforts, we established our university, ECCU (EC-Council University) in 2006, and in 2010 we achieved a significant accomplishment when the U.S. Department of Defense recognized our Certified Ethical Hacker program under directive 8570.

As the complexities of the digital world grew, we remained committed to our mission of creating a cyber-literate global workforce. To this end, we provide specialized courses in areas like Vulnerability Assessment & Pen Testing, Network Defense, Incident Handling & Response, Application Security, and Blockchain. We also offer the Certified Cyber Security Technician (C|CT) program for those starting their careers in this field.

In a strategic effort to expand cybersecurity education by recognizing the escalating cybersecurity challenges and the pivotal role of awareness in reducing cyber vulnerabilities, we launched CodeRed in 2019. CodeRed, identified as the world's largest online cybersecurity library, offers micro degrees in specialized technical subjects, thereby providing accessible and comprehensive learning resources to a global audience.  The impact of the EC-Council extends beyond just the cybersecurity community. By fostering a safer digital environment, it indirectly benefits all sectors of the economy that rely on digital infrastructure. Over the past two decades, EC-Council has been a key player in cybersecurity through its extensive training and certification programs. As a global powerhouse in cybersecurity education, we are known for our unique approach to training, certification, and research. Our teaching methodology, centered around the "learn, certify, engage, compete" framework, is aimed at providing our trainees with a competitive edge in various aspects of their careers. Our ongoing goal is to be the preferred choice for those seeking cybersecurity education, and we continually aim to make a significant difference by training individuals and professionals to be prepared for cyber threats. 

DQ: What advice would you give to individuals considering a career in cybersecurity and looking to pursue EC-Council certifications to enhance their skills and marketability?

Jay Bavisi: Embarking on a cybersecurity career requires unwavering dedication, lifelong learning, and resilience. It is also essential to comprehend the global demand in this rapidly evolving field. Being a fast-paced learner is particularly important. It is essential to gain clarity by researching the specific specialization within cybersecurity one wishes to pursue, as EC-Council provides training and certification in a wide range of areas like Pen Testing, Vulnerability Assessment, Incident Handling & Response, and Network Defense, among others. Apart from this, a career in cybersecurity requires hands-on experience, which can be gained through participation in global competitions such as C|EH (Certified Ethical Hacker) Compete. It is also important to foster strong professional networks, hone effective communication and problem-solving skills, uphold high ethical standards, and comprehend the legal nuances associated with cybersecurity.

Remember that certifications complement practical experience and continuous learning, so nurture a genuine passion for cybersecurity and stay curious.