作者: 戴安娜·卡尔德隆,CISM
发表日期: 2023年8月23日
相关: 数字信任现状

在今天的数字时代, companies constantly face cybersecurity threats that can cause irreparable harm to their reputation, 财务和客户信任. Building a solid cybersecurity culture is critical to any company’s cyber strategy and should be a top priority for organizations and security teams.

但什么是安全文化? 安全文化是共同的价值观, 帮助组织保护其资产的态度和行为, 包括人, 数据和系统. It is a proactive approach that emphasizes the importance of security as a business priority and involves everyone. 建立一个健全和积极的安全文化不是一个一次性的项目. Instead, it requires ongoing efforts to keep pace with new threats, technologies and regulations.

为什么安全文化很重要? A strong security culture has several benefits for your organization, including:

  • 降低网络威胁的风险: When your employees understand the importance of security and how to protect your organization’s assets, 他们不太可能落入网络钓鱼骗局和恶意软件的圈套, 或者犯其他可能导致入侵的安全错误.
  • 与客户建立信任: A strong security culture can help you earn your customers’ trust by demonstrating that you care about privacy and security.
  • 加强合规:良好的安全文化可以帮助您遵守法规和标准, 比如GDPR, PCI DSS, HIPAA和ISO 27001, by ensuring your employees follow the required security controls and procedures.

如何创建强大的安全文化? Building a strong security culture requires a joint effort from everyone in the organization. 安全不仅是一个IT问题,也是一个人的问题. 根据Verizon的说法, 82 percent of breaches, including phishing, social attacks or misuse, involved the human element. 不幸的是, 人已经成为主要的攻击媒介, and one of the most significant challenges is managing human risks effectively. Here are some key steps to build and maintain a strong security culture that also promote resilience and digital trust:

  • 从头开始安全文化始于领导. The company’s leaders should be the first to adopt a security mindset and should set an example for the rest of the organization.
  • 从评估开始在提高你的安全文化之前, you must understand your organization’s culture and its current security posture. You have a greater chance of success by aligning security with your existing culture. 进行彻底的 安全评估 识别你的关键资产, 潜在的威胁和漏洞, 并利用调查结果制定全面的安全战略.
  • 制定安全策略: A security strategy is a roadmap that outlines an organization’s security program’s goals, 目标和行动计划. The strategy should also include policies and procedures that guide employees in handling sensitive information, 报告安全事件并遵守法规要求. You should align your strategy with the business and aim to integrate security into all aspects of the business, 从采购到产品开发再到客户服务. 
  • 提供培训和意识: 安全意识培训 是帮助员工必不可少的吗, contractors and partners understand their roles and responsibilities regarding security and should be ongoing, 这不是一次性的事情. Regular training sessions on security best practices help your employees understand security breaches’ risks and consequences, 促进安全意识的文化.
  • 了解你的受众当涉及到安全问题时,了解你的受众是至关重要的. 不同的团队可能有不同的安全问题. For example, the finance team might worry about different things than the engineering team. So, ensure you know who you’re talking to and their specific needs and problems. Take the time to tailor your message and initiatives to your audience so that they can stay engaged and informed.
  • 做好准备弹性是指抵御网络攻击并从攻击中恢复的能力. 它需要技术和组织措施的结合, 比如备份, 冗余, 灾难恢复计划和事件响应程序. A strong security culture promotes resilience by fostering a preparedness mindset and simulating scenarios of what could happen during a real cyberattack.
  • 培养数字信任:建立数字信任意味着确保客户, partners and others believe your company can keep their data safe and protect their privacy. 要做到这一点, organizations must be transparent and accountable about using people’s data and comply with laws and regulations like GDPR and CCPA. Having a strong security culture is one way to promote ethical behavior and respect for privacy, 哪些可以帮助建立数字信任. 
  • 简化政策安全策略是安全文化的重要组成部分. Your security policies and procedures should be clear, collaborative and accessible to all employees. Everyone should know what’s expected from them and the consequences of non-compliance. 
  • 培养积极的安全意识文化安全文化不应该是惩罚性的或基于恐惧的. You can tell whether a security culture is positive by how your employees interact with the security team. Recognize and reward employees who demonstrate sound security practices – for example, 通过报告安全事件和关注点. 这可以是一个简单的公开承认或小奖金. Empower them and celebrate people’s wins, reports, questions and concerns without judgment.
  • 打造安全冠军澳门赌场官方下载安全团队通常人手不足, but what if you can help your security team scale their resources and instill a secure-by-design mindset? By bringing together a group of dedicated individuals from different teams and backgrounds, you can foster a sense of community that supports and empowers everyone to prioritize security and work toward creating a secure environment.
  • 监控、测量和报告:最后, monitoring and measuring the effectiveness of your security culture initiatives is essential. Conduct regular surveys and assessments to gauge your employees’ knowledge and behavior, 并使用结果来确定需要改进的地方. Share these metrics with your key stakeholders to demonstrate the program’s return on investment and use the results to identify any areas that need further support. 

Establishing a strong security culture may appear daunting, but it’s a wise long-term investment. 有了正确的承诺, 资源与领导力, the benefits of a strong security culture are worth it: a more secure and resilient organization, 加强安全团队和其他部门之间的协作, 改善遵从性, 增加了客户的信任. 除了, 具有强大的安全文化, you can positively impact your organization’s security posture by promoting preparedness for new threats, helping your organization to withstand and recover from cyberattacks more effectively.

编者按: For additional strategies to build digital trust and access to insights from over 8,100位数字信任专家, 下载ISACA最新的《澳门赌场官方下载》报告.