Building a People-Focused Cybersecurity Strategy: Part One
In today’s fast-paced digital world, cybersecurity has evolved beyond the mere protection of systems and data. It is now fundamentally about safeguarding the people who interact with these systems daily. As we observe Cybersecurity Awareness Month, it is crucial to foster a culture of cybersecurity awareness and resilience within organizations. This three-part series will explore how businesses, particularly in financial technology (fintech), business process outsourcing (BPO), healthcare, and small and medium enterprises (SMEs), can transcend basic compliance and develop a people-focused cybersecurity strategy.
The Expanding Role of IT Departments
As organizations increasingly depend on digital infrastructure, the role of IT departments has expanded significantly. However, many companies, especially in sectors like fintech, BPO, healthcare, and SMEs, are struggling to meet the growing demands placed on their IT teams. A recent survey by Palo Alto, a global cybersecurity company, revealed a concerning statistic: 24 percent of chief executive officers (CEOs) do not consider themselves responsible for their organization’s cybersecurity, often delegating this critical task entirely to Chief Information Officers (CIOs) and IT teams. This disconnect can lead to under-resourced IT departments, creating significant cybersecurity vulnerabilities.
The Strain on IT Resources
IT departments in many organizations are stretched thin, juggling day-to-day IT operations alongside the complex demands of cybersecurity. According to Gartner, organizations with fewer than 2,500 employees should maintain an IT personnel-to-employee ratio of 1:70 to 1:100. Unfortunately, many companies, particularly SMEs, fall short of this guideline.
Common symptoms of IT capacity issues include:
-
Lack of Dedicated IT Security Personnel: Often, common IT staff, such as systems administrators and tech support personnel, are assigned additional roles and responsibilities related to IT security. This can lead to a dilution of focus and expertise, as these individuals are also tasked with creating training programs, policies, and advisories, which require specialized knowledge and time.
- Inconsistent IT Auditing: IT auditors are frequently called upon to perform cybersecurity compliance work only on an "as needed and as available" basis, with client or revenue work taking precedence. This prioritization can lead to critical cybersecurity tasks being inadequately addressed, leaving organizations exposed to risks that cybercriminals are quick to exploit.
The Need for Restructuring IT Departments
To mitigate these risks, organizations must consider restructuring their IT departments to include dedicated cybersecurity roles. A well-organized IT structure should involve direct reporting to the CEO or Chief Operating Officer (COO), a clear IT governance framework, and a specialized team focused solely on cybersecurity.
An ideal IT organizational structure might include:
-
Direct Reporting Line to the CEO/COO: This ensures that cybersecurity remains a strategic priority within the organization.
-
IT Steering Committee: This committee can guide IT and cybersecurity strategies, ensuring alignment with overall business goals.
- Dedicated Cybersecurity Team: This team would be responsible for IT controls, compliance, security operations, and quality assurance, ensuring continuous protection and adherence to cybersecurity standards.
Leveraging Managed Security Services Providers (MSSPs)
For companies that may lack the resources to build an in-house cybersecurity team, partnering with a Managed Security Services Provider (MSSP) can provide a cost-effective solution. An MSSP brings specialized expertise and 24/7 monitoring, offering peace of mind that your organization’s cybersecurity is in capable hands.
The Importance of Cybersecurity in Sensitive Industries
Why does this matter for fintechs, BPOs, healthcare firms, and SMEs? These industries handle sensitive data and operate in highly regulated environments where cybersecurity breaches can have severe consequences. For SMEs, the lack of capacity or capability to deal with breaches can be particularly damaging.
Ensuring that your IT team is not overburdened and that cybersecurity is a dedicated function is crucial. Organizations should consider sourcing strategies from third-party IT security audit providers to evaluate their current IT structure and implement tailored capacity and capability-building solutions composed of cybersecurity experts. This approach ensures that organizations are appropriately staffed to protect against the latest threats.
Conclusion
As we celebrate Cybersecurity Awareness Month, it is essential to recognize the unsung heroes of our workplaces who work tirelessly to protect our data. While they play a key role in our cybersecurity, it is vital to remember that each employee is the first line of defense for their data. Taking ownership of our collective security is a shared responsibility.
In the second part of this three-part series, we will delve into the importance of building a cybersecurity culture and how empowering employees can transform them into your first line of defense. Stay tuned to learn how to engage your team and turn cybersecurity awareness into a company-wide priority.
Leonard Duque is the director and chief information officer for the Technology Solutions Group at P&A Grant Thornton, one of the leading audit, tax, advisory, and outsourcing firms in the Philippines. For more information, visit our website at www.grantthornton.com.ph. We’d love to hear from you! Connect with us on LinkedIn and like us on Facebook at P&A Grant Thornton. Email your comments to [email protected].