Cyberattacks are increasing in number and growing in sophistication. Organizations must develop a comprehensive plan, executed with great precision and consistency, if they are to protect themselves. The creation and sustenance of a high-performance information security culture is needed, and the drive for change must come from the very top. In my book Cybersecurity Readiness: A Holistic and High-Performance Approach, such a culture is characterized by three key traits: commitment, preparedness, and discipline.
This Commitment-Preparedness-Discipline framework (see the charts below) is holistic and recognizes that âtechnology alone will not mitigate information security risksâ.
There are several pieces to the complex puzzle of cybersecurity management, and technology is only one of them. Committed leadership, robust governance procedures, informed and motivated personnel are other success factors.â
Sustained commitment at all organizational levels and beyond (value chain partners), coupled with a rigorous approach to securing data, network, locations, people, and storage devices, and the discipline of meticulous planning, sound execution and continuous monitoring, are the cornerstones of an effective cybersecurity governance program.
Each of the information security cultural traits of commitment, preparedness, and discipline, are associated with several success factors. In this article, I focus on âHands-On Top Managementâ, not only due to its innate significance, but also because senior leadership can play a significant role in enabling the realization of other success factors.
This implies active participation and involvement of C-level executives in cybersecurity initiatives, including planning, execution, monitoring, training, assessment, and review.
In exemplar organizations, members of the senior leadership team are known to serve on governance and oversight teams and committees. They continuously strive to stay abreast of the organizationâs vulnerability points and defense mechanisms, actively engage in cybersecurity strategizing, take ownership and responsibility for cybersecurity investments and actions; and champion and evangelize the importance of cyber preparedness throughout the organization.
Other recommended best practices include: a) the state of cyber readiness consistently featuring as an important agenda item in top management meetings; b) regularly briefing the
board on the state of preparedness; c) participating in training sessions and workshops; d) engaging in cyber defense simulation exercises; e) introducing incentives and rewards to motivate adoption of the desired cybersecurity behavior; and f) adopting suitable measures and metrics to track and monitor performance.
Is it a tall order to expect the senior leadership to treat cybersecurity readiness as a core competency and an integral part of an organizationâs value propositions ?
Is it a tall order to expect senior leadership to treat cybersecurity readiness as a core competency and an integral part of an organizationâs value propositions? Should CEOs need much convincing in actively engaging in cyber governance? Not really, if you asked Rohit Verma, the CEO of US-based insurance firm Crawford & Company. In a podcast interview, Rohit said that âif the leadership of other organizations needs any convincing about staying up with cyber training, all they need to do is look up the Wall Street Journal for the last three months and read about the extent of havoc cyberattacks can cause an organizationâ. He added that âseveral of us in senior leadership are digital immigrants and not digital natives. Many of the security issues are new to us. We will be naĂŻve if we donât take interest and are not willing to learn and stay updatedâ.
A review of major breaches from 2013 to 2019 brings to light alarming instances of vulnerabilities and shortcomings that can be broadly classified under negligence and lack of preparedness.
It is incumbent on the senior leadership to try to ensure that such glaring security lapses never happen. They need to work closely with the legal team to ensure that due diligence standards are not only met but exceeded. While compliance with regulatory requirements are important steps in the right direction, exemplar organizations and their leadership will go above and beyond in making substantive efforts to protect sensitive assets.
When top management is proactive in adopting robust security measures and does so because it is the right thing to do â and not because there is a legislative requirement â then thatâs when they have taken a huge leap forward in establishing a high-performance information security culture. In the event of a successful attack, they can say to their stakeholders and the public at large that they left no stone unturned, and made every reasonable effort to prepare. Such organizations and their leadership are likely to be viewed and treated fairly, whether in a court of law or the court of public opinion.
The good news is that over the years surveys and research reports reveal a marked improvement in how top management has started viewing cybersecurity readiness. There is greater realization that information security management can be a core competency and a source of competitive advantage. A cybersecurity thought leader said it best: “Most people think about security as avoiding a bad thing. Let’s not get hacked. That is a good way to think about security, but it’s incomplete. We need to think about not just how do we avoid a bad thing, but also how do we get a good thing? Not just how we do not get hacked, but how can we gain an advantage?”
A highly motivated and engaged top management can play a significant role in helping achieve several of the other success factors associated with creating and sustaining a high-performance information security culture. Here are six steps to get right:
Â
By âwalking the talkâ and actively participating in cybersecurity readiness activities, senior management can help to build and sustain a highly involved culture where all members of the organization are emotionally invested and have bought into the fact that cybersecurity readiness is everyoneâs business, and that they all have an important role to play. As I write in my book, senior leadership can help build emotional capital, a key ingredient for fueling a âweâre in it togetherâ culture, âby creating a work environment where employees: a) feel valued and develop a sense of belonging; b) take pride in their work; c) are having fun; and d) perceive leadership to be genuine and authenticâ.
Marcin Ganclerz, a cybersecurity awareness and training specialist, emphasizes the importance of creating such a cohesive culture. Referring to it as a culture of enablement and not fear, he said: âWhen you have this culture of fear, employees don’t want to report any suspicious email; they are afraid of making mistakes because you blame them for the mistakes.â
Â
The effectiveness of the CISO role and function often depends on the extent of C-level support and commitment, as well as being able to operate with a high level of independence and objectivity. According to Vishal Salvi, CISO and Head of Cyber Practice at Infosys, the CISO needs to deliver on his or her agenda to gain trust and credibility. He also believes that the CISOâs ability to meet and exceed expectations also depends on the reporting structure. âMake the CISO independent of CIO and elevate the CISO to a level where they are able to drive the mandate of cybersecurity,â he said. âThe more elevated and more empowered the CISO, the more committed is the organizationâs mission to cyber.”
Whether the CISO reports directly to the CEO or to an independent external committee (such as the board of directors or audit committee) is a decision that can be significantly influenced by top management. In addition, by recognizing the CISO role to be that of a strategic enabler and
involving them in strategic decision making, the senior leadership team is likely to be more effective in risk-based prioritizing of projects and initiatives.
Â
In addition to appropriately empowering the CISO function, there needs to be cross-functional ownership and accountability of cyber risks and breaches. Top management can enable this governance approach by requiring that every cybersecurity project and initiative has a business owner and sponsor. Even in the case of outsourcing of security services, top management should mandate a rigorous vetting and selection process followed by close monitoring of vendor performance. Service level agreements (SLAs) should be suitably crafted to ensure that third-party service providers have âskin in the gameâ, and work closely with their clients and customers to protect data stored on their servers.
Such due diligence is essential to mitigating the risk of data breaches caused by vendor negligence and inadequate monitoring and oversight by client organizations.
Â
It is standard practice, often mandated by regulations, that organizations require all of their stakeholders to participate in cybersecurity training programs and workshops. For such training to be truly effective, it must be customized and personalized.
Depending on their roles and responsibilities, employee skill and awareness level need to be suitably enhanced. Immersive training methods involving gamification and a hands-on approach is more effective than the standard approach of watching videos and demos and then responding to a set of questions.
Another best practice is to offer continuous skilling and re-skilling opportunities and incentivizing the commitment to learning. Like Wordle and Nerdle, the daily word and mathematics games and challenges, organizations can adopt an incremental, continuous approach to spreading security awareness and knowledge. Senior leadership should encourage and evangelize innovative and substantive approaches to information security training. They need to ensure that this very important preparedness mechanism does not degenerate into a check-the-box exercise.
Â
A variety of intelligence tools and resources are at the disposal of organizational teams focused on gathering and processing threat intelligence. The challenge lies in the prompt processing of alerts and taking prompt action.
Organizations are often found wanting in the ability to follow through on the intelligence received from external sources. For example, a 2017 hack at Equifax, a credit reporting agency
that exposed the personal data of nearly 150 million people, could perhaps have been avoided if management had acted quickly on the intelligence received.
It is imperative that suitable governance structures and procedures are in place to ensure that threat intelligence alerts are properly logged and acted upon. The rationale for a decision to act, or not to act, also needs to be documented. Top management intervention can go a long way in instilling this threat management discipline.
Â
One hallmark of a highly disciplined information security culture is the continuous review and rehearsing of an organizationâs information security plan and recovery capabilities. Compliance requirements often mandate the conducting of information security audits and simulated practice exercises to identify and address deficiencies. Top management at exemplar organizations can take this a step further by requiring real time and continuous security audits and conducting extensive information security drills.
âLike Wordle and Nerdle, the daily word and mathematics games and challenges, organizations can adopt an incremental, continuous approach to spreading security awareness and knowledgeâ
Audits are reactive by nature and provide after-the-fact insights. While such revelations are valuable, often they are not timely enough to avoid disasters. So, the practice of creating audit teams that continuously engage in identifying and reporting on security vulnerabilities is a step in the right direction. It is relatively standard practice for organizations to engage third-party service providers to test the various technical controls. But organizations need to go beyond regular penetration testing and expand the scope of the real-time audits to include a thorough review of administrative and physical controls. Top management also needs to ensure that the audit report findings are being promptly reviewed and acted upon. The findings and actions taken must be documented and regularly reviewed by a senior leadership team.
Conducting periodic fire drills is a relatively common and established organizational practice. Carrying out extensive information security drills to assess an organizationâs ability to recover from different types of breach scenarios is the next-level practice that marks out a highly security conscious organization. Regularly rehearsing action plans will help an organization to stay at a high level of cyber readiness. It is highly recommended that top management actively engages in, and get others involved in, rehearsing disaster recovery plans under different threat scenarios. The drills need to go beyond table-top exercises and simulate disaster scenarios as realistically as possible.
Since there is no guaranteed immunity from cyber threats and attacks, senior leadership often is at a crossroads when it comes to investing too much time, money, and other resources in reaching a certain state of preparedness. This mindset was evident during a C-level meeting at a
major healthcare organization, where the CEO encouraged the leadership team to focus on the organizationâs primary mission, i.e., providing quality care, and not wasting time, money and effort on trying to bullet-proof the organization from potential attacks.
Art Ehuan, Vice President of Palo Alto Networks, and a former FBI expert in cybercrimes, effectively articulates this leadership dilemma in the context of dealing with rampant ransomware attacks: âThe CEO is trying to decide, do I put more money into cyber, or do I put more money into customer satisfaction? You know, that’s sometimes a hard decision because you’ve got limited dollars and trying to make that decision is sometimes difficult.â
While the CEO is not expected to be the cyber chief for the organization, his or her active oversight and involvement can make a huge difference and does set the tone for how cybersecurity governance is viewed and practiced.
To improve decision making, every stakeholder â both internal and external âneeds to be given a voice, says Isabelle Deschamps, the mining groupâs Chief Legal Officer, Governance and Corporate Affairs ...
Antoine de Saint-Affrique, in a frank and open discussion with IMD President Jean-François Manzoni, explains his no-nonsense approach to problem-solving, the importance of speaking the truth, however uncomfortable, and knowing when itâs...
Dinner parties seem less civil affairs than they once did, with guests being dismissive of opposing viewpoints. Itâs symptomatic of a wider problem affecting discourse in all areas of society. So, whatâs...
Scenario planning is more valuable than ever â but what is it and how can executives implement it effectively? Peter Schwartz, author of the highly influential book The Art of the Long...
You have 4 of 5 articles left to read.