First of three parts
IN today’s fast-paced digital world, cybersecurity is no longer just about protecting systems and data — it’s about safeguarding the people who interact with these systems every day. This Cybersecurity Awareness Month, it is imperative that we foster a culture of cybersecurity awareness and resilience.
This three-part series explores how businesses, particularly those in financial technology (fintech), business process outsourcing (BPO), health care, and small and medium enterprises (SMEs), can move beyond mere compliance and build a people-focused cybersecurity strategy.
Each article will delve into critical aspects of cybersecurity, from the importance of properly staffing IT departments to the need for engaging and relatable security training and finally, the pivotal role of leadership in driving a culture of cybersecurity. By understanding and addressing these areas, your organization can strengthen its defenses against ever-evolving cyberthreats.
As organizations become increasingly dependent on digital infrastructure, the role of IT departments has expanded significantly. Yet, many companies, especially in sectors like fintech, BPO, health care and SMEs, are struggling with the growing demands placed on their IT teams.
A recent survey by Palo Alto, a global cybersecurity company, revealed that 24 percent of chief executive officers (CEOs) do not consider themselves responsible for their organization’s cybersecurity, delegating this critical task entirely to CIOs and IT teams. This disconnect can lead to under-resourced IT departments, which in turn creates significant cybersecurity vulnerabilities.
IT departments in many organizations are stretched thin, often required to manage both day-to-day IT operations and the complex demands of cybersecurity. Gartner’s recommendations for an IT personnel-to-employee ratio in organizations with fewer than 2,500 employees suggest a ratio of 1:70 to 1:100. However, many companies, especially SMEs, fall short of this guideline.
Common symptoms of IT capacity issues include:
– No dedicated IT security/compliance personnel. Common IT staff like systems administrators and tech support personnel are also assigned additional roles and responsibilities as IT security personnel. In some cases, they are also given tasks to create, compose and conduct training programs/videos, instructions, advisories and IT policies, which are time-consuming and require specialized knowledge.
– IT auditors are only called to do IT/cybersecurity compliance work on an “as needed and as available basis,” with client/revenue work having a higher priority. When the clients call, work on cybersecurity stops.
This shortage means that essential cybersecurity tasks, such as monitoring for threats, updating security protocols and ensuring compliance, may be inadequately addressed, leaving companies exposed to risks that can lead to critical cybersecurity gaps that cybercriminals are quick to exploit.
To mitigate these risks, organizations must consider restructuring their IT departments to include dedicated cybersecurity roles. A well-organized IT structure should involve direct reporting to the CEO or chief operating officer (COO), a clear IT governance framework and a specialized team focused solely on cybersecurity.
An ideal IT organizational structure might include:
– A direct reporting line to the CEO/COO. This ensures cybersecurity remains a strategic priority.
– An IT Steering Committee to guide IT and cybersecurity strategies, ensuring alignment with overall business goals.
– A dedicated cybersecurity team. Responsible for IT controls, compliance, security operations and quality assurance, this team ensures continuous protection and compliance with cybersecurity standards.
For companies that may lack the resources to build an in-house cybersecurity team, partnering with a managed security services provider (MSSP) can provide a cost-effective solution. An MSSP brings specialized expertise and 24/7 monitoring, offering peace of mind that your organization’s cybersecurity is in capable hands.
Why does this matter for fintechs, BPOs, health care firms and SMEs? These industries handle sensitive data and operate in highly regulated environments where cybersecurity breaches can have severe consequences, or, in the case of SMEs, have no capacity or capability to deal with them.
Ensuring that your IT team is not overburdened and that cybersecurity is a dedicated function is crucial. Consider sourcing strategies from third-party IT security audit providers to evaluate your current IT structure and implement a tailored capacity and capability-building solution composed of cybersecurity experts in order to ensure that your organization is appropriately staffed to protect against the latest threats.
As we celebrate Cybersecurity Awareness Month, let’s recognize the unsung heroes of our workplace who work tirelessly to protect our data. While they play a key role in our cybersecurity, remember that you are your data’s first line of defense. Take ownership of your responsibility to our collective security.
In the second part of this three-part series, we’ll dive into the importance of building a cybersecurity culture and how empowering your employees can transform them into your first line of defense. Stay tuned to learn how to engage your team and turn cybersecurity awareness into a company-wide priority.
Leonard Duque is the director and chief information officer for the Technology Solutions Group at P&A Grant Thornton. One of the leading audit, tax, advisory and outsourcing firms in the Philippines, P&A Grant Thornton is composed of 29 partners and 1,500 staff members. We’d like to hear from you! Connect with us on LinkedIn and like us on Facebook at P&A Grant Thornton and email your comments to pagrantthornton@ph.gt.com. For more information, visit our website at www.grantthornton.com.ph.
Be the first to comment