As the staff does their part to practice basic cyber hygiene and resilience, CIOs and the IT team can guide them on the importance of crossorganization visibility, strategic asset segmentation, and tools and practices for comprehensive threat modeling and understanding and, most importantly, eliminating the risk of their organization being stagnant in their cyber practices. This shared understanding allows the IT team to propose and embrace a customized strategy aligned with the organization’s specific needs and vulnerabilities. IT teams can outline the desired outcome of their cyber strategy, such as network visibility, stopping the spread of ransomware and breaches, and improving incident response. When proposing a customized cyber strategy, the IT team can choose to leverage data from existing technology. Alternatively, they can make the case for an investment in new technology. When they present their customized cyber strategy to leadership, they will have assurance that leadership understands threat vulnerabilities and recognizes the cruciality of having a customized cyber strategy and technology to be effective. The cyber resilience and ROI journeys Bad actors are constantly evolving their tactics, but their desired outcomes remain the same: to exploit and disrupt. Embracing an assume breach mindset and fostering active engagement from every level of the organization is essential. As staff continually participates in cybersecurity training, understanding deepens, and an educated cyber environment flourish. IT teams, guiding strategic efforts, can turn concepts into actionable defenses. The journey toward cyber resilience is ongoing and requires daily participation. As organizations continue to grasp a comprehensive understanding of the importance of organizational participation and active engagement, these actions pave the way for maximizing their ROI in cyber, even with limited resources. As everyone increasingly recognizes the ROI in cyber investments, strategies and involvement, the steps to overcome barriers will fall into place, and cyber resilience practices will come more naturally. for fostering a culture where the priorities include preparing for breaches to ensure operations aren’t impeded, and the organization can respond effectively to cyber threats. In 2023, state and local governments experienced a significant increase in various types of cyberattacks, including a 148 percent increase in malware attacks, a 51 percent increase in ransomware incidents, and a 313 percent rise in endpoint security services incidents, such as data breaches, unauthorized access and insider threats. Recognizing the severity of these statistics is acknowledging that the responsibility and understanding of cyber threats can no longer fall solely on IT teams. While the IT team is responsible for the actual implementation process of technologies, building cyber resilience and being aware of cyber threats is the responsibility of the entire organization. The impact of active engagement Active engagement is integral to organizationwide participation. To adopt an assume breach mindset and make that cultural shift, organizations must also require their entire staff to participate in cybersecurity training continually instead of the annual training that most organizations require. Providing regular training on concepts, such as phishing, ransomware and cloud breaches, to the entire staff enhances their understanding of modern cyber criminals’ tactics, contributing to the prevention of attacks and breaches, and fostering a more cyber-literate environment. It also reinforces the importance of daily cyber hygiene and resilience practices. At the end of the day, it will increase the staff’s awareness of how to identify a potential threat. To ensure staff remains actively engaged in their trainings, it is crucial organizations establish a system to hold staff accountable if they fail to adhere. Currently, many organizations lack an accountability system for employees who neglect their training responsibilities. Implementing a system, and repercussions, not only holds staff accountable, but it emphasizes the seriousness of trainings and their ability to educate staff on how to detect cyber threats. 12 CIVIL AND MUNICIPAL VOLUME 5, ISSUE 03
RkJQdWJsaXNoZXIy MTI5MjAx