While senior leadership within most organizations today would readily admit that cybersecurity is one of their biggest concerns, many are still woefully behind when it comes to building a more cyber-aware culture among their employees and even the C-Suite. According to the “International Trends in Cybersecurity” report published last May by CompTIA, companies are taking steps to bolster cybersecurity knowledge among their workers by making it part of new employee orientation, as well as through ongoing training programs, online courses, and random security audits. However, only 23 percent of the 1,500 businesses surveyed in the report rated their cybersecurity education and training methods as being extremely effective.
Results published last September from the fourth annual data breach preparedness survey conducted by the Ponemon Institute, which was sponsored by Experian Data Breach Resolution, also found that many senior level executives are still not taking an active role in cyber-threat mitigation. According to the study, which surveyed 665 executive and staff employees who work primarily in privacy and compliance in the U.S., 57 percent of respondents said their company’s board of directors, chairman and CEO are not informed and involved in plans to deal with a possible data breach. Other findings from the report included:
- Only 40 percent of respondents say they want to know ASAP if a material data breach occurs.
- About one-third of respondents (34 percent) said their board does understand the specific security threats facing their organization.
- Only 26 percent of respondents believe the board is willing to assume responsibility for the successful execution of the incident response plan.
Kevin Walker, Security CTO for Juniper Networks and the former CISO at Walmart.com, says the key to creating a more effective cybersecurity culture really depends on organizations and their current security posture. While some companies obviously have a more mature and well-defined cybersecurity program, others are less advanced.
“First of all, you have to understand the business. If you don’t understand the business, then you can’t protect it,” Walker explains. “Also, understanding the risk appetite and identifying the real risks – not just the theoretical or textbook risks – but the real risk for your organization which means understanding how you deliver services.”
A company involved in e-commerce, for example, as part of an effort to streamline the shopping experience for the consumer, may store payment information for the user. But if someone obtains the customer’s password, then they could go in and manipulate that data. Walker says protecting this and other information does not just fall on the security team, but on the entire business and service delivery components of the business.
“It’s everyone’s responsibility but when we say that we get a lot of eyes rolling. ‘Oh yeah, of course, it’s everyone’s responsibility,’ but it really is,” Walker adds. “How you design a product, how you design features, understanding where you can put pressure and where you can’t is really, really important because it lets the security team focus on the really hard problems. If you can illuminate the obvious weaknesses, then they can focus on other things.”
Walker says he also puts some of the onus on his colleagues in the information security space, many of whom are still “pounding desks" and pushing for "strong passwords” rather than creating outreach programs and teaching others within the organization about what’s really needed, which would go a lot further in solving the problem. He also advises security executives to set goals that are appropriate for their respective organizations, adjust them as needed on an ongoing basis and to be an advocate for security, not just a “traffic cop.”
“That means, literally getting on planes if you need to in order to get out to other security leaders across the globe for your company and making sure you understand their dilemma. Just because something works in Sunnyvale, California, doesn’t mean it will work in Dubai or for your team in London or Bonn, Germany,” Walker says. “It’s not a matter of, ‘here’s a declaration that you must do because I say so,’ and then come back in a year and grade them. That doesn’t do any good. You have to give them the tools they need to be successful to meet those goals.”
Although it’s often said that people are the weakest link when it comes to security, Walker says they can also be a company’s greatest strength if they have the right people. Given that some of the largest, most high-profile cyber-attacks in recent memory started with a well-crafted phishing attack, Walker says that end-user training is paramount and that organizations need to foster a culture in which workers across the spectrum are encouraged to speak up when they see something suspicious.
“A lot of breaches are identified when an employee sees something that’s odd. Vigilance is crucial there and I think having a culture where you’re not discouraged from raising your hand to say, ‘hey, that doesn’t look right,’ is very important,” he says.
Walker says CEOs and CISOs who are serious about cybersecurity will ensure that the leaders under them are indeed measured on the performance of security and that these issues are not just mere talking points. One way to do this is to tie compensation and bonuses to achieving different security goals.
“Here are the goals as established by CISO and did you make them? If you didn’t, guess what? Your bonus should be impacted. It’s that straightforward,” Walker concludes. “I’ve seen it happen successfully in a few organizations and it turned the culture around. It can be done, but it’s not done through platitudes, it’s done through action.”
About the Author: Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected]