The security industry needs to pivot away from “talking about things” and why they go wrong, onto “getting things done” and fixing things. This is not a problem which has – or can have – a purely technological solution. Leadership and the profile of the leaders – NOT TECHNOLOGY – are at the heart of the execution paradigm around cyber security in today’s digital world. People trust other people, and you need the right leaders to get things done around security, with the right balance of technical understanding, management acumen, personal gravitas and emotional intelligence.
Culture and governance are key to drive change around cyber security behaviours, but too many awareness programmes focus simply on superficial technical gimmicks. Stay clear of empirical and ready-made solutions: Start with focus groups, questionnaires, and interviews and measure upfront levels of staff security maturity and engagement with corporate values. There are 3 clichés that have been dominating the security awareness arena for the past decade. And here are 5 key points to build a successful cyber security culture change programme.
As senior executives turn a page and we enter – possibly – an execution-dominated decade around cyber security, many CISOs are just not equipped to lead. The profile of the chief information security officer (CISO) needs to change to adjust to the imperatives of the “when-not-if” era: It becomes essential to start prioritising leadership skills over technical skills and distribute roles across a structured function, instead of looking for “unicorn” profiles: Nobody can be credible on all fronts across all functions and geographies of the business. Those profiles don’t exist and pretending otherwise is just setting the CISO to fail.
It is hard to imagine a Board member today in any large organisation who would be unaware of cyber threats. Of course, priorities may vary in line with economic conditions or the general health of the business, but “cyber” is on the agenda of all Boards, and consistently rated as a top risk by many. The focus of the Board has shifted towards execution, very often in exchange of significant investments in cyber security, in particular where initial maturity levels were low.
Every start-up must understand that the real secret sauce is Trust: In a context of increasing levels of consumer awareness around privacy and data protection, your most valuable asset will be the trust of your customers in your product. Moving fast and breaking things has never created trust. Start-ups must build customer trust from early days by embedding sound security and privacy practices in the products and in their culture. Start-ups must build customer trust from early days by embedding sound security and privacy practices in the products and in their culture.
We need to reflect once more on the staggering number of products and vendors active across the cybersecurity space. Many of those products still aim to address security requirements which are as old as security good practices themselves. They should have consolidated years ago and each should be dominated by a few players – in addition to the usual big names – all bound by healthy competition. The situation is often compounded by the fact that many security tools only end up partially deployed, or simply covering a fraction of the estate – functionally or geographically.
It is now becoming crystal clear that cybersecurity – beyond good practice and good ethics – is quite simply good business. Following cybersecurity best practices is a problem. In fact, it is an important reason why the issue is still shifting in and out of most boards’ radars. Gut feeling alone does not make for a strong-enough case: Top executives are increasingly asking to show the data. Being able to show key stakeholders in business terms what exactly is the tangible value-added of cybersecurity will be key in finally anchoring the topic at the right level of organizations.
In many firms, the equation between Governance, Risk and Compliance around cyber security is becoming heavily weighted towards the G, and GRC functions must adjust as a result, both in terms of internal structures and in terms of interactions with other stakeholders. In particular, first line and second line must work together on this. They must trust each other and look beyond absurd and arbitrary “separation of duties” concepts, to produce meaningful data for the business, around which meaningful decisions will be made to protect the firm.
There is no magical technology platform or service provider which can be – on its own – the answer to a fundamental transformative challenge around cyber security. The overarching challenge for the CISO lies in getting senior management to see that long-term change is rooted in a long-term vision and long-term planning which takes time to establish. Simply throwing money at the problem in the hope of making it disappear, without a proper consideration of those matters simply leads to failure and can only aggravate the perception by senior stakeholders that security is just a cost and a burden.
As every enterprise is becoming more and more data-driven, it is key for the Board to realize that cyber security is becoming a central tenet both of its core business and of its social impact and governance strategies. This should the basis on which the cyber security imperative is cemented at Board level. Right where it always belonged. Here are Key factors for boards and executive management to consider in 2019 around cyber security and privacy.
At the heart of cyber resilience lies a real application of “defence in depth” principles which have been well established for decades: Acting at preventative, detective, mitigative AND reactive levels, AND across the real breadth of the enterprise – functionally and geographically. It is about the enterprise being enabled by the use of data and technology, whilst remaining protected from active threats. Instead of being treated as another box checking exercise and a quick win, cyber resilience must be embedded into the right corporate structures and used to channel a different culture from the top down around cyber security.
In recent years, the development of massive computing and storing capacities in the hand of a few internet juggernauts led to the rise of the cloud economy. Companies of all sizes have been moving their mission-critical servers and operations to the data centers. On the face of it, the development of Infrastructure as a Service (IaaS) should be good news for the state of cybersecurity. In this context, it is easy to believe that moving to the cloud could mean solving many of your cybersecurity issues.
Many large organisations now assume that breaches are simply inevitable, due to the inherent complexity of their business models and the multiplication of attack surfaces and attack vectors which comes with it. This realisation changes fundamentally the dynamics around cyber security. Historically, cyber security has always been seen as an equation between risk appetite, compliance requirements and costs. Compliance and costs were always the harder factors. Risk (was always some form of adjustment variable.
Privacy and security considerations are the key ingredients of digital trust and must be at the heart of any industry’s digital transformation. The necessarily transversal nature of security and privacy matters needs to be woven into the fabric of an organisation for the digital transformation to succeed over the long-term. At this junction, the traditional role of the CISO – heavily influenced by a technical bias, tactically-oriented and project-driven in many firms – could become exposed.
Cybersecurity has developed a high profile in many organisations over the past few years. But, who wants to be a Chief Information Security Officer these days? And at which stage in your career should you consider the move? What balance of managerial and technical experience do you need to have? And where do you go from there? Those would be valid questions for many executive positions but when it comes to the role of the CISO, they seem to acquire a different meaning.
In the current business paradigm, replicated since by a number of online platforms, individuals willingly provide their personal information in exchange for a service. Personal data is subsequently repackaged and sold to advertisers and marketers. The unavoidable rise of the Internet of Things will only make the issue more complex, as increasingly more intrusive and personal data will start to be collected about each of us. This poses new challenges around the issue of consent and privacy:
IoT security issues arise from ill-advised prioritization and the inherently short-term culture of the tech world. Security should be seen as a fundamental requirement for any IoT product—even MVPs. As the attitude of consumers and regulators shifts around those matters, it's becoming a simple matter of good business. Frankly, given the virulence and widespread nature of cyber threats, the need to take security seriously and embed it natively into IoT products should be seen as a simple matter of common sense for product developers and investors.