With cybersecurity breaches on the rise, one thing is clear: The current defenses of U.S. organizations -- both public and private -- do not rival the skill, persistence and prowess of those who seek to wreak havoc on our information-technology infrastructure and operations. What many organizations are doing in response to this growing and pervasive threat often stops with efforts to secure their systems through technology without a continued focus on building and sustaining a culture of deterrence and vigilance.
The problem with this approach is that attackers and their tools are always changing. While no one doubts the need to establish a systematic, technology-based way to protect against breaches, attention is rarely paid toward building a culture of security from the bottom up. For organizations that do, the results are easily quantifiable: According to a recent survey commissioned by PricewaterhouseCoopers, CS magazine, the Secret Service and Carnegie Mellon University's Software Engineering Institute, organizations that conduct ongoing employee training and awareness programs see their financial impact from security breaches drop to an average of $168,000, a quarter of what those without such programs lose ($683,000).