A View of Cyber Security from the C-Suite
I recently attended a few conferences during which CEOs, CISOs, and CIOs shared some of their insights about IT and cyber security and how those elements tie into their “big picture” directives and goals. It certainly can be a challenge to balance business perspectives and day-to-day tasks. As Richard Warner, a host and facilitator with Executive Alliance said, infosec professionals have a “deviously complicated job because success is when nothing happens.”
Following are some of the observations and pieces of advice offered by the C-level executives. Hopefully they will help you as you are planning your security awareness and training initiatives.
From the CEO: Two Primary Concerns and Four Questions
A CEO of a global IT services provider offered an interesting viewpoint given that his career path included prior stints as an engineer, a CIO, and head of sales and operations. As CEO, his directives are to grow revenue and to seek and seize transformational opportunities. How do IT and cyber security mesh with those aims? In his experience, he said, organizational leaders should focus on customers and employees. He indicated that his two primary security concerns are fairly simple: the safety of client data and the safety of employee data.
He went on to say that he generally has four questions for his information security team:
- If you were attacking our organization, how would you do it?
- If someone attacked today, how would you know?
- If an attack were successful, what’s the worst that could happen?
- What are we doing to address these issues and improve our security posture?
The CEO acknowledged that CIOs and CISOs are in a difficult spot in that they must balance business and technology pressures. He stressed the importance of time to market and said that infosec professionals should not lose sight of that. As such, he advises these teams to prioritize speed and agility, focusing on “small, bite-sized chunks rather than large, monolithic programs.”
At Wombat, we understand the need for training at all levels and the effectiveness of a top-down approach to security awareness training. Our new Security Essentials for Executives module focuses on the key cyber security threats top-level managers and executives face on a day-to-day basis. This education module provides scenario-based training that will help these users recognize malicious attacks and change risky behaviors.
From the CSO: Embrace the Human Nature of Security
The Chief Security Officer for a large credit card processing company kicked off his presentation with a simple question: Being that infosec teams know all the things they’re supposed to be doing…why are they still struggling?
He indicated that much of the problem is rooted in a focus on compliance rather than security. Most organizations that experience a PCI breach, he said, are fully compliant with PCI DSS. A tunnel-vision approach to what he called “paper compliance” is likely to leave organizations lacking in effective, organization-wide cyber security initiatives (a caution we’ve shared ourselves in the past).
The CSO feels that, in general, infosec teams have not spent enough time on people and culture, and he thinks that’s holding organizations back. He believes a triad of technology, processes, and people — in which all get substantial attention — is the best way to move the dial on cyber security. He also offered these pieces of advice:
- Focus on risk reduction rather than risk prevention. There is no way to eliminate risk, but you can manage it. People and technology can both help on that front; it shouldn’t be regarded as an “either-or” proposition.
- Infosec professionals need to care about the factors that make people feel secure. If two sides keep speaking a different language, it will be hard to make progress.
- Understand and account for human drivers. As he said, “People don’t write down passwords to make you angry. They do it to make life easier.”
- Recognize that your end users — and your executives — are getting security messages from sources other than you. Make every attempt to find out what those sources are — particularly in the case of your CEO.
From the CISO: Work to Change the Culture
The CISO of a large credit card company spoke of the importance of a company-wide approach to cyber security. “Security is all about strong teamwork. You need to engage the entire company to change the culture,” he said. (He recommended viewing a 1977 film called Powers of Ten™, which offers an interesting and scientific take on perspective.)
He advised the infosec professionals in attendance to make the effort to quantify end-user risk reduction, and he emphasized the need to help executives understand risk reduction methods overall. “You need to lead toward sustainable cultural change,” he said. “Show where improvements are coming from and think about how you want to frame your conversations with key decision makers.”
He also recommends that organizations “federate” security. Working together with common goals and implementing a risk-based decision-making model are two ways to improve an overall security posture, he said.