People-Focused Cybersecurity: Beyond Compliance

In today’s fast-paced digital world, cybersecurity is no longer just about protecting systems and data—it’s about safeguarding the people who interact with these systems every day. This Cybersecurity Awareness Month, it is imperative that we foster a culture of cybersecurity awareness and resilience.

This three-part series explores how businesses, particularly in FinTech, Business Process Outsourcing (BPO), Healthcare, and Small to Medium Enterprises (SMEs), can move beyond mere compliance and build a people-focused cybersecurity strategy. Each article will delve into critical aspects of cybersecurity, from the importance of properly staffing IT departments to the need for engaging and relatable security training, and finally, the pivotal role of leadership in driving a culture of cybersecurity. By understanding and addressing these areas, your organization can strengthen its defenses against ever-evolving cyber threats.

The IT Capacity Conundrum: A Hidden Threat to Cybersecurity

As organizations become increasingly dependent on digital infrastructure, the role of IT departments has expanded significantly. Yet, many companies, especially in sectors like FinTech, BPO, Healthcare, and SMEs, are struggling with the growing demands placed on their IT teams. A recent survey by Palo Alto, a global cybersecurity company, revealed that 24% of CEOs do not consider themselves responsible for their organization’s cybersecurity, delegating this critical task entirely to CIOs and IT teams. This disconnect can lead to under-resourced IT departments, which in turn creates significant cybersecurity vulnerabilities.

IT departments in many organizations are stretched thin, often required to manage both day-to-day IT operations and the complex demands of cybersecurity. Gartner’s recommendations for an IT personnel to employee ratio in organizations with fewer than 2,500 employees suggest a ratio of 1:70 to 1:100. However, many companies, especially SMEs, fall short of this guideline.

Common symptoms of IT capacity issues include:

• No dedicated IT security/compliance personnel: Common IT staff like systems administrators and tech support personnel are also assigned additional roles and responsibilities as IT security personnel. And in some cases, they are also given tasks to create, compose, and conduct training programs/videos, instructions, advisories, and IT policies, which are time-consuming and require specialized knowledge.
• IT auditors are only called to do IT/Cybersecurity compliance work on an “as needed and as available basis,” with client/revenue work having a higher priority. When the clients call, work on cybersecurity stops.

This shortage means that essential cybersecurity tasks, such as monitoring for threats, updating security protocols, and ensuring compliance, may be inadequately addressed, leaving companies exposed to risks that can lead to critical cybersecurity gaps that cybercriminals are quick to exploit.

The Need for Dedicated Cybersecurity Roles

To mitigate these risks, organizations must consider restructuring their IT departments to include dedicated cybersecurity roles. A well-organized IT structure should involve direct reporting to the CEO or COO, a clear IT governance framework, and a specialized team focused solely on cybersecurity.

An ideal IT organizational structure might include:

• Direct Reporting Line to CEO/COO: This ensures cybersecurity remains a strategic priority.
• IT Steering Committee: This advisory group guides IT and cybersecurity strategies, ensuring alignment with overall business goals.
• Dedicated Cybersecurity Team: Responsible for IT controls, compliance, security operations, and quality assurance, this team ensures continuous protection and compliance with cybersecurity standards.

For companies that may lack the resources to build an in-house cybersecurity team, partnering with a Managed Security Services Provider (MSSP) can provide a cost-effective solution. An MSSP brings specialized expertise and 24/7 monitoring, offering peace of mind that your organization’s cybersecurity is in capable hands.

Why This Matters for FinTech, BPO, Healthcare, and SMEs:

These industries handle sensitive data and operate in highly regulated environments where cybersecurity breaches can have severe consequences, or, in the case of SMEs, have no capacity or capability to deal with them. Ensuring that your IT team is not overburdened and that cybersecurity is a dedicated function is crucial. Consider sourcing strategies from third-party IT security audit providers to evaluate your current IT structure and implement a tailored capacity and capability building solution composed of cyber security experts in order to ensure that your organization is appropriately staffed to protect against the latest threats.

Moving forward

As we celebrate cybersecurity awareness month, let’s recognize the unsung heroes of our workplace who work tirelessly to protect our data. While they play a key role in our cyber security, remember that you are your data’s first line of defense. Take ownership of your responsibility to our collective security.

In the second part of this three-part series, we’ll dive into the importance of building a cybersecurity culture and how empowering your employees can transform them into your first line of defense. Stay tuned to learn how to engage your team and turn cyber security awareness into a company-wide priority.

As published in The Manila Times, dated 16 October 2024 October