Like an onion, cybersecurity contains multiple layers. When it’s done well, at least.
That’s what a trio of researchers concluded after setting out to discover what “responsible cybersecurity” looks like for organizations in today’s world.
Responsible cybersecurity? IT Brew caught up with Niki Panteli, a professor of digital business at Lancaster University in the UK and lead researcher on the project, to decode her team’s findings on the proposed framework, which sounds like it could be a character award from a grade school teacher.
“Responsible cybersecurity presents a collective commitment where multiple stakeholders act as stewards and [are] looking after cybersecurity,” Panteli said.
Panteli and the research team—which includes Konstantinos Mersinas, an associate professor at the Royal Holloway, University of London, and Boineelo Nthubu, a graduate teaching assistant and researcher also at Lancaster University—arrived at that definition after conducting 20 interviews with cybersecurity professionals across several industries, including the utility and manufacturing services sector. From these conversations, the researchers were able to identify the following perspectives (or as they call it, “layers”) that made for a more ethical cyber environment:
- Techno-centric: Making sure systems are secure by design
- Human-centric: Creating a culture within an organization that supports the well-being of its cybersecurity employees
- Intra-organizational-centric: Promoting an environment where cybersecurity is a joint effort between different departments within an organization.
- Inter-organizational-centric: Realizing your specific organization’s role in supporting the cybersecurity of the larger supply chain and ecosystem it sits in (think: butterfly effect)
- Societal-centric: Understanding the larger societal impact a cyber incident can have and using this recognition to influence security behaviors from the onset
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Progress report. While Mersinas and Panteli told IT Brew that all five pillars proposed by the research team are important and “interconnected,” they noted that the industry is inconsistent in how it embraces them. Mersinas told us that the cybersecurity industry has traditionally maintained a heavy focus on the technical layer, but has slowly begun to branch out.
“Now there’s a lot of discussion on the human layer as well across the industry,” Mersinas said. “It doesn’t mean that it’s done properly. It doesn’t mean that we have exhausted it.”
Panteli said that organizations have room to improve when it comes to fully grasping an inter-organizational-centric approach to cybersecurity, a perspective she notes is important because of how interconnected organizations are.
Baby steps. The researchers proposed a variety of steps organizations can take to move closer to a responsible cybersecurity culture, including adopting a “collaborative mindset,” promoting security training and awareness programs, and emphasizing a need for a culture that is supportive of work–life balance.
“I do believe that we have…some way to go, at least, perhaps in some sectors more than others, perhaps in some organizations more than others,” Panteli said.