Cybercrime is not inevitable. With a security culture, meaning a rigorous, people-first risk management strategy, organizations can muster the vigilance to head off threats.

In the wake of Log4j vulnerabilities, massive breaches like SolarWinds, and the cream cheese shortage during the 2021 holiday season, organizations are changing up security strategies to mitigate cybercrime damages that are predicted to total US$10.5 trillion annually by 2025.

Security Cultures Prioritize New Business Practices

As every company becomes technology-driven, risks are escalating, pushing security much closer to the top of business priorities. Gartner researchers said that by 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest, and political instabilities. Meanwhile, security cultures will have changed numerous business practices. By next year, IDC analysts said that 80% of organizations faced with complex global regulations will increase security compliance automation investments by 25% to consistently meet policies and regulations. In the same time frame, IDC predicted 25% of G2000 public cloud customers will subscribe to integrated risk management and cyber-insurance policies through shared fate/risk programs to protect against sophisticated cyberattacks.

Make Security a Company-Wide Responsibility

Security and risk leaders who responded to a recent Gartner survey ranked the Internet of Things (IoT) and cyber-physical systems as their top concerns for the next three to five years. Gartner analysts predicted that by 2023, 75% of organizations will restructure risk and security governance to address the widespread adoption of advanced technologies, an increase from less than 15% today.

In a world where just about every organization is in the computer industry, embedded secure practices across the organization are table stakes. For example, SAP follows the NIST (National Institute of Technology in North America) cybersecurity framework, a holistic security strategy based on repeatable processes. This approach harmonizes controlled security company-wide, including product development and operations.

“Security has always been our number one concern,” said Tim McKnight, executive vice president and chief security officer at SAP. “With the acceleration of digitalization, organizations have embarked on a massive cloud-based computing transformation that extends to security. We’ve undergone a multi-year security transformation backed by the commitment of our Executive Board and real-time input from customers.”

A security culture comes down to a shared vision that’s carried out by leaders who make security a priority and teams who participate in ongoing trainings that celebrate success and learn from failures. People in any sector can take a page out of the software applications industry playbook.

“We’ve set cybersecurity goals for all of our executives,” said McKnight. “We present these measures to the Board on a regular basis, reviewing progress against security initiatives. With open conversations around security, we reinforce priorities while driving accountability from each department. Whether you’re an executive, team lead, or individual contributor, you need to understand your role in driving a security culture with a security-first mentality. After all, the vast majority of security incidents are the result of human error.”

Don’t Let Other Business Demands Supersede Security Resources

While just-in-time supply chains boost business agility in a post-pandemic environment, having more partners also increases risk. Forrester researchers predicted that 60% of security incidents will involve third parties in 2022. Maybe that’s why IDC researchers said that by next year, 55% of organizations will allocate half of their security budgets to cross-technology ecosystems and platforms designed for rapid consumption and unified security capabilities to drive agile innovation.

Companies need to allocate sufficient resources to prioritize security across the entire product life cycle, from development through go-live and support. With intelligent capabilities from artificial intelligence (AI), machine learning, robotic process automation (RPA), and other technologies, products and services increasingly require advanced security measures.

“An effective culture makes security everyone’s responsibility,” said Wiebke Thelo, senior vice president and head of SAP Quality, Application Security, and Production. “For example, business information security officers at SAP report directly into business unit leaders. They work together, making sure that security is embedded into product design, development, and operation.”

Educate Employees Now for a Trusted Future

IDC research showed that close to 25% of organizations report ransomware infections weekly. Human judgment is core to preventing these incidents. However, Forrester analysts warned about the “security brain drain” as one in 10 experienced professionals have exited the industry during the past year. These analysts advised security executives to address burnout and team culture problems and use succession planning to build a pipeline of security leaders.

SAP Teams Up with HBCUs to Attract Talent to the Cybersecurity Curriculum

“A security culture requires significant learning and development, which is why we’ve professionalized security,” said McKnight. “The human element is critical – we position people first, process second, and technology third. We start with our people and make sure they have the skills they need.”

As remote working, just-in-time supply chains, and tech innovations continue, companies have to think and act faster than the criminals. There’s never a good time for a cyberattack. Just ask the people who suffered through the cream cheese shortage. Criminals don’t take holidays and a security culture is the best protection.


Follow me @smgaler
This also appeared on SAP BrandVoice on Forbes.