Security’s people problem — and how executives can help fix it
Perhaps the greatest power high-level executives and board members have is the ability to change the culture of security in their organizations
—It’s the stuff of nightmares for many chief information security officers (CISOs): one disgruntled employee in the wrong position brings an entire organization to its knees.
While the conversation around cybersecurity risks often revolves around external threats, internal ones are among the greatest companies face. Most of these incidents are accidental, not malicious, says Joanne Martin, the CISO advisory practice lead for Hartman Advisors.
How can companies reduce those accidents?
“Culture” she says, “is your tool to eradicate stupidity.”
Internal security initiatives can often feel like an imposition on employees by a small group of cyber-doomsday cultists within a company.
“We’ve seen a tremendous shift in conversation that is occurring at the senior management and board level,” says Anthony Grieco, security director and trust officer for Cisco. “They [boards and senior management] are now understanding that technology is going to play a tremendous role in enabling the business from a perspective of products that are actually being delivered to the company’s customers.”
Grieco was speaking on the “Security in the Boardroom” panel at a recent cybersecurity forum held by The Chertoff Group, an advisory firm focused solely on security and risk management.
It’s a sort of “trickle-down theory” of security within companies: If upper-level executives can build security into every conversation, not from a tech perspective, but from a business-impact perspective, it will help tie security to the overarching vision and mission of the company, says Deb Fitzgerald, Deltek’s chief information officer.
Cultural shifts require buy-in at the board level. But it can be difficult for CISOs to communicate to their respective boards why they need to implement certain practices without quoting obscure statistics that boards don’t understand.
“A board needs to designate a member who’s keeping track of security culture. Senior levels can’t abdicate [security responsibility] to the CISO,” says Grieco.
Companies also need to be aware of how both board members and employees will absorb the language used to describe a security initiative.
“When you start talking ‘insider threats,’ your employees start thinking you don’t trust them,” says Martin.
Approaching security as a cultural change, rather than an IT initiative helps employees buy into security without feeling like they’re being accused of doing something wrong.
The more employees think about security from a business impact point of view, the less it will feel like a set of arbitrary hurdles obstructing workflow.
Fortunately, thinking through intelligent security culture has benefits for combatting threats within and beyond the organization, says Grieco.
The fundamentals of security apply both internally and externally, says Grieco: “What are you defending? How are you going to do it? What are your failsafes?”