Are we secure yet? I was asked this question in a board meeting a many years ago. The way it was phrased implied that getting secure is a task to be completed. Managing cybersecurity is actually more like doing the laundry, in that it’s never finished. So, are we secure yet? The answer is an emphatic “No!” And we collectively never will be secure. However, we can and must apply rigorous risk management processes, innovative control technologies, and talented teams to our cybersecurity challenges.
The subject of this discussion is your organization’s cybersecurity culture. It is one of the most critical elements of a successful cybersecurity program and yet one of the most difficult to define, measure, and improve. Over the past decade, we have witnessed a constant cadence of major cyberattacks. The majority of these were cases in which the victims were required to disclose the event by statute or regulation. Others were disclosed as a result of highly visible business disruptions caused by the attack. Many of these were data breaches involving over 100 million records (for example, Target, eBay, Equifax, Capital One, Marriott, etc.) while others were ransomware attacks resulting in major disruption to their victim’s businesses (such as Maersk and the city government of Atlanta).
These attacks were costly and traumatic for the victim organizations but also had at least one positive result: They transformed the organization’s cybersecurity culture. The change in attitudes about cybersecurity in these cases can be dramatic. One CIO shared that a security investment decision that once would have taken weeks or even months to make now, after the company’s recent breach, required only a short call or quick meeting.
The value of a strong “post-breach” cybersecurity culture is material. According to the “2018 Cost of Data Breach Study: Impact of Business Continuity Management” from the Ponemon Institute, “The larger the data breach, the less likely the organization will have another breach in the next 24 months.” In fact, organizations that experience a breach of 100,000 or more records reduce their probability of experiencing another data breach in that time frame from 0.279 to 0.015! With the cost of a major breach or attack being measured in the hundreds of millions of dollars, achieving a post-breach cybersecurity culture without experiencing the trauma and impacts of a breach can be a huge benefit for the enterprise.
Measuring Security Culture
How we measure and improve an enterprise’s security culture starts with a discussion of the degree to which leaders, employees, users, vendors, and even customers are aware of and regularly follow effective cybersecurity best practices in seven key areas.
1. Board Expertise and Structure
Boards can play a key role in setting priorities for cybersecurity risk management and ensuring those priorities are being addressed. Having board members who are familiar with cybersecurity issues or have managed cyber-risk in their careers is certainly a plus. Committee structure can also play a key role. Boards generally have agendas packed with mandatory governance topics so establishing a risk committee or, better yet, a cybersecurity committee to focus on cyber issues can be a useful approach for getting the limited number of board members with cyber expertise to focus on the cybersecurity program. Board interest in cyber drives the priorities and intensity of activity throughout the organization and sends a clear message to business leaders that effective management of cybersecurity risks is a key priority.
2. CEO Engagement and Leadership
One criticism of CEOs at victim organization is that they often lack the expertise and focus to effectively drive cybersecurity programs. Establishing a CEO-chaired cybersecurity management review on a regularly basis (at least quarterly) is a powerful statement to senior leadership that cyber-risks are top of mind and high enough in the CEO’s priorities to allocate significant time to understand and drive the topic. Regular communication from the CEO highlighting the critical role that effective security practices play in the performance and long-term growth of the business is extremely valuable in driving a strong cybersecurity culture.
3. Senior Executive Engagement and Leadership
In most enterprises, the technology organization, led by the CIO, oversees cybersecurity and plays a key role in implementation of effective controls. From networks to client devices to data centers, the technology organization is often the arms and legs of the cybersecurity team to ensure holistic coverage and efficacy of those controls. The CIO sets the tone for how important these controls are relative to other technology priorities such as enabling business innovation and ensuring application reliability. Having regular reviews of the cybersecurity program with the full technology leadership team, designating cybersecurity as a strategic imperative, and devoting significant airtime to cybersecurity topics at employee meetings, is a good start.
4. Ecosystem vs. the Enterprise
Few enterprises function independently of suppliers, customers, dealers or retailers, third party service providers, and others who are not employees but nonetheless interact with the enterprise’s technology resources. Policies, communication initiatives, contractual provisions, and cybersecurity assessments are a few of the mechanisms that can be used to expand cybersecurity best practices throughout the ecosystem.
5. Awareness & Training
Ensuring everyone in the ecosystem understands how to apply cybersecurity best practices when using technology is essential. Annual training for all users is the minimum, but that training needs to be continuously refreshed to stay current with the rapidly changing cybersecurity threat landscape and use senior leadership messaging to underscore its importance to the organization. Tailored training for special groups such as software developers, network administrators, and infrastructure managers is also valuable to communicate best practices or technical details applicable to those roles. An additional awareness mechanism I’ve used in the past is pushing a daily cyber intelligence synopsis out to senior leadership. This type of messaging includes three or four major cybersecurity news items each day in terms that the business can understand and that offer context about how the items relate to the organization.
6. Post-Mortems with Other Attack Victims
Engaging companies that have suffered a major attack is yet another great tactic to gain insights into new threats and organizational controls. Often, these discussions may be under a nondisclosure agreement but the corrective actions or confirmation that your controls coverage is already adequate are well worth the effort.
7. Closing the Loop
Every user who fails to follow cyber best practices when using the organization’s cyber assets poses a risk to the enterprise. Holding individuals and organizations accountable for their cyber behaviors puts the organization on notice that cybersecurity behavior gaps will be transparent to leadership. Periodic penetration testing is an essential tool to provide a reality check and validate cybersecurity controls coverage and efficacy. Presenting the results of these tests up through leadership to the board of directors ensures the entire management chain is informed and can help drive any required remediation activity.
Organizations that behave like a victim of a major cyberattack can help themselves avoid actually becoming a victim of one. Implement a post-breach culture now. Don’t wait for the threat actors to do it for you.
Rich Armour is a senior CISO and technology executive with deep experience in cybersecurity and information technology leadership and transformation across large global enterprises. Rich has successfully led large scale global information technology transformation … View Full Bio