No avoiding it.
A version of this post originally appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter.
When the pundits first said “Every company is a tech company,” it sounded like buzzword blather—until people realized it’s true. These days, companies in any industry—from media to retail—must make technology a core competency if they want to succeed.
And now the same is becoming true of cyber security. Once, it was only a handful of industries such as banking or technology that needed to make security a fundamental part of what they do. Today, everyone else does too. Do you doubt it? Just look at the terrible ransomware attacks that crippled hospitals and major companies like FedEx across the world on Friday—attacks that probably could have been prevented if they had updated their Windows software.
Being good at cyber security may not give a company a competitive edge in the market, but it will prevent security catastrophes, which is just as important. The question is how to achieve this.
People like Oren Falkowitz, the CEO of anti-phishing service Area 1, insist that technology provides the best route to cyber safety, arguing it’s impractical to train everyone in an organization to be good at security. Meanwhile, companies like Cloudflare are proposing industry wide approaches—like an initiative to create VPN-style protection for the Internet of Things—to make connected devices less dangerous.
These are fine approaches, but I can’t shake the impression that corporate culture must be part of the mix too. I recall how it was once okay for those of us in the media to ignore new technology (“why do I need that? I’m a writer!”), but now the industry treats tech literacy as a core part of a journalist’s job.
I get the feeling the same thing will happen when it comes to cyber security. So many cyber disasters are based on exploiting people’s lack of knowledge about elementary ideas like software updates or email attachments. Successful companies of the future may be those in which everyone in the organization has a basic level of cyber literacy.
Sure, that’s easier said than done. But at this point, companies and organizations have no choice.