Cybersecurity is the bedrock of intelligent business. Companies that hope to develop superior customer knowledge, unique insights, and proprietary intellectual property by utilizing digital capabilities will require a robust cybersecurity strategy to underpin the whole. Companies need a strategy that leads to true cyber resilience.
To create a resilient enterprise, companies must make changes in four areas: leadership and governance, funding, organizational culture, and security measurement and monitoring.
Directors and executives should be asking themselves the following questions in order to ensure that they are on the right track.
1. Leadership and governance: Do we really understand what’s at stake for the business?
CEOs and boards of directors fortunately are ramping up their engagement and accountability for cybersecurity. Most CEOs, however, have much more to do. The chief executive’s relationship with his or her chief information security officer (CISO) is critical to the right kind of engagement. The CEO’s relationship with the CISO is also important to the board’s ability to perform sound cyber-risk governance.
CISOs should have oversight of more than just the corporate office, to include functions, subsidiaries, joint ventures, and labs. They should be involved in discussions of any new business initiatives or technologies that will increase cyber risk. CEOs and boards should bring them into the inner circle to help build risk management strategies to support business goals and objectives. The bottom line is that CISOs must become business advisors to leadership and informants of business challenges and successes to boards.
2. Culture: Do we truly put security first?
A big part of embracing a security-first culture is having the right mindset. At the C-suite and board level, cyber resilience and operational performance management should go hand in hand. Security must be a strategic priority tracked and reacted to as part of the tempo of normal business management, much the same as with the profitability of business units. It is a new competence that needs to be built, just like manufacturing excellence or personalization in digital marketing.
This mindset must spread throughout the organization and serve as a spur to proper actions. Line management must understand that they have a primary objective: Protect customers’ data and the company’s digital assets and operations. Fail at this and all else is irrelevant. The same is true for the front lines.
Cultural change must be backed by action and investment, and the buck stops with the board. Ensure your board is asking management whether or not this key culture change is being made across the organization.
3. Funding: How much is the right amount?
Answering this difficult question requires breaking it into two parts:
Is the company brilliant at the basics? This means properly investing to resolve challenges of any magnitude—from intruders who want to get at a particular customer, to attackers after the company’s most critical assets, whether they be data or key intellectual property that differentiates the company in the market.
Is the company innovating to improve its security? The only way to lower the cost of cybersecurity (or at least slow cost increases) while improving overall capability is to innovate upon current security practices.
Getting the basics right isn’t easy. It requires understanding and preparing for the many potential intentions of cyberattackers. It also means hardening high-value assets. Companies must make it as difficult as possible for attackers and limit the damage that’s possible when they do breach the walls.
Breakthrough innovations come from many corners, including business partners, vendors, and alliances across other ecosystems. CEOs and boards should think of the startup community as their company’s route to innovation and experimentation. Once partners demonstrate how their products will integrate efficiently and drive value in the security mission, security professionals must rapidly scale the innovations across their organizations. The CEO can empower that scaling, and the board should be asking the CEO about plans to do so.
4. Metrics and monitoring: Are we measuring for business relevance?
The metrics used in the past to measure business success won’t help in the future. For example, low, medium, and high compliance scores don’t communicate enough about business risk. Rather than information such as project plans on encryption, CEOs and board members should receive metrics on protecting customer data. Rather than metrics around patching (updating software with the latest, most secure versions), they should hear about how the integrity of production environments is being maintained. Companies need business-relevant scorecards on security.
In addition to receiving better information on more relevant metrics, CEOs and boards should improve their own monitoring and understanding of cyber threats. They need to develop muscle memory by taking part in crisis drills and working through attack scenarios. Such practice helps track improvements and lessons learned, and to be prepared to respond immediately when a threat occurs.
The Path to Cyber Resilience
CEOs and boards of big organizations that have been successful at demonstrating cyber resiliency are leading wise pivots to new strategies for security. While these pivots are essential to the survival of businesses, they do bring risks and increased attack surfaces to critical digital assets and operations. Business leaders must engage more directly to own this challenge, because in the future, the only resilient business will be one that is cyber resilient.
The following blog post is one installment in a series related to board oversight of corporate culture. The National Association of Corporate Directors (NACD) announced in March that its 2017 Blue Ribbon Commission—a roster of distinguished corporate leaders and governance experts—would explore the role of the board in overseeing corporate culture. The commission will produce a report that will launch during NACD’s Global Board Leaders’ Summit Oct. 1–4.
As many as 95 percent of breaches to companies’ data have a human element associated with them. It is no wonder, then, that security teams call people “the weakest link” in securing an organization and choose other investments for defense. Despite companies’ deep investments in security technology over the years, security breaches continue to increase in frequency and cost.
The conventional approach misses a significant opportunity to utilize people as a defense strategy against the ever-changing threat landscape. In fact, only 45 percent of respondents in the National Association of Corporate Director’s 2016-2017 Public Company Governance Surveyreported that their boards assessed security risks associated with employee negligence or misconduct. Organizations that have fostered intentional security cultures from the boardroom to the server room have managed to transform employees into their strongest asset in defending against attacks, gaining advantages in both protecting against and detecting cyber threats.
What is security culture?
From the boardroom to the server room, people could be your greatest security asset.
Culture-competent boards and management teams understand that culture is the set of behaviors that employees do without being told. In simpler terms, it’s “the way things are done around here.” There are many sub-cultures within an organization, and security culture is one that often looks quite different from the expectations set by policy. Security culture has the power to influence the outcome of everyday business decisions, leaving an employee to judge for themselves the importance of security in a decision. For instance, some frequent questions that employees might encounter include:
Is it ok to release insecure code or should we test more, resulting in a delay?
Do I feel safe to report that I may have incorrectly shared a critical password?
Do I prioritize a secure vendor over a less expensive one?
Each of these decisions, when chosen without security in mind, add to the organization’s security debt. While likely that none of these decisions on their own will lead to the downfall of the organization, each risky action increases the probability of being targeted and successfully compromised by cyber-attackers. On the other hand, if the decisions to the questions presented above are chosen with a secure mindset, over time an organization can expect to see more secure code, better data handling processes, and an increased ability to detect cyberattacks, just to name a few examples. A positive, security-first culture makes it more difficult for an attacker to find and exploit vulnerabilities without detection, incentivizing a different choice in target. Directors at companies across industries should carefully evaluate whether management has established a security-first culture as part of their greater cyber-risk oversight strategy.
It is worth realizing that security-minded employees will not solve all security headaches. However, a company’s talent is an essential third leg of the business stool, partnered with technology and processes. An organization that does not invest in training and empowering its employees to prioritize security is only defending itself with two-thirds of the options available to it.
How do you practice it?
The first step boards and executives can take to shape security culture is to identify the most critical behaviors for your employees. Historically speaking, security culture programs used to be based on compliance and asked, “How many people completed a training?” or “How much time is an employee spending on education?” These are not the right questions. Instead, we should ask, “What will my people do differently after my program is in place?”
Prioritize behaviors by their impact on the security of your organization, customers, and data. Ideally this will distill down into two to three measurable actions that boards and executives can encourage employees to take in the short-term to be security minded. Most mature security culture programs have the following three capabilities to help develop these behaviors: measure, motivate, and educate.
1. Measure It is critical to have measures in place to show progress against culture change. When an organization can measure its key desired behaviors, it can start answering critical questions such as:
– Are my campaigns effective at changing this behavior?
– What groups are performing better? Why?
– Has the company already met its goals? Can I focus on the next behavior?
Measuring culture is notoriously tricky because of its qualitative nature, but it can be done using measures such as the number of malware infections, incident reports, or even surveys that test for the knowledge of, and adherence to, policy and process. Surveys should also test for employees’ perception of the burden of security practices, as well as a self-assessment of individual security behavior.
2. Motivate Effective behavior change requires motivation. Spending the time explaining the purpose behind each security measure goes a long way in getting employees on board. As an example, sharing case studies of successful attacks and lessons learned helps demonstrate to employees that the threat is real and applicable to their work. Some other great ways of providing motivation to follow through on security behaviors are public recognition of outstanding behavior, gamification, or rewards for success.
3. Educate Employees cannot act to change their behavior if they are not fully trained to do so. Ensure employees have the knowledge and tools to complete the security tasks. Ideally, the information presented should be tailored by role and ability level to make it as relevant and interesting to the employee as possible. One key focus should be on educating senior executives on the trade-offs between risk and growth in a company. Consider providing scenarios based on real cyber-attacks that explore the long-term impact of risky business decisions. Add these discussions opportunities into existing leadership courses to help model security-mindset as a valued leadership trait.
Senior level engagement
While the above is a framework that boards and executives can use to drive security behavior change from the bottom up, leadership has an important role in setting the security culture as well. Executives can publicly share the value of security as an employee themselves, which will reinforce the importance they see in proper security culture to the organization and to the customers they serve. Executives should hold their businesses accountable for executing on key security behaviors and publicly call out examples that have impacted the security of the organization, either positively or negatively. Finally, boards should press executives to ensure that the focus of their people-centric security program is on the highest area of risk, not just what is easy to measure.
Masha Sedova is the co-founder of Elevate Security, a company delivering interactive and adaptive security training based on behavioral science. Before Elevate, Masha was a security executive at Salesforce.com, where she built and led the security engagement team focused on improving the security mindset of employees, partners, and customers.