Senior management’s enabling influence on other success factors
A highly motivated and engaged top management can play a significant role in helping achieve several of the other success factors associated with creating and sustaining a high-performance information security culture. Here are six steps to get right:
1. Building a culture of ‘we’re in it together’
By “walking the talk” and actively participating in cybersecurity readiness activities, senior management can help to build and sustain a highly involved culture where all members of the organization are emotionally invested and have bought into the fact that cybersecurity readiness is everyone’s business, and that they all have an important role to play. As I write in my book, senior leadership can help build emotional capital, a key ingredient for fueling a “we’re in it together” culture, “by creating a work environment where employees: a) feel valued and develop a sense of belonging; b) take pride in their work; c) are having fun; and d) perceive leadership to be genuine and authentic”.
Marcin Ganclerz, a cybersecurity awareness and training specialist, emphasizes the importance of creating such a cohesive culture. Referring to it as a culture of enablement and not fear, he said: “When you have this culture of fear, employees don’t want to report any suspicious email; they are afraid of making mistakes because you blame them for the mistakes.”
2. Empowering the role of CISO
The effectiveness of the CISO role and function often depends on the extent of C-level support and commitment, as well as being able to operate with a high level of independence and objectivity. According to Vishal Salvi, CISO and Head of Cyber Practice at Infosys, the CISO needs to deliver on his or her agenda to gain trust and credibility. He also believes that the CISO’s ability to meet and exceed expectations also depends on the reporting structure. “Make the CISO independent of CIO and elevate the CISO to a level where they are able to drive the mandate of cybersecurity,” he said. “The more elevated and more empowered the CISO, the more committed is the organization’s mission to cyber.”
Whether the CISO reports directly to the CEO or to an independent external committee (such as the board of directors or audit committee) is a decision that can be significantly influenced by top management. In addition, by recognizing the CISO role to be that of a strategic enabler and
involving them in strategic decision making, the senior leadership team is likely to be more effective in risk-based prioritizing of projects and initiatives.
3. Ownership and responsibility must be shared
In addition to appropriately empowering the CISO function, there needs to be cross-functional ownership and accountability of cyber risks and breaches. Top management can enable this governance approach by requiring that every cybersecurity project and initiative has a business owner and sponsor. Even in the case of outsourcing of security services, top management should mandate a rigorous vetting and selection process followed by close monitoring of vendor performance. Service level agreements (SLAs) should be suitably crafted to ensure that third-party service providers have “skin in the game”, and work closely with their clients and customers to protect data stored on their servers.
Such due diligence is essential to mitigating the risk of data breaches caused by vendor negligence and inadequate monitoring and oversight by client organizations.
4. Awareness and training
It is standard practice, often mandated by regulations, that organizations require all of their stakeholders to participate in cybersecurity training programs and workshops. For such training to be truly effective, it must be customized and personalized.
Depending on their roles and responsibilities, employee skill and awareness level need to be suitably enhanced. Immersive training methods involving gamification and a hands-on approach is more effective than the standard approach of watching videos and demos and then responding to a set of questions.
Another best practice is to offer continuous skilling and re-skilling opportunities and incentivizing the commitment to learning. Like Wordle and Nerdle, the daily word and mathematics games and challenges, organizations can adopt an incremental, continuous approach to spreading security awareness and knowledge. Senior leadership should encourage and evangelize innovative and substantive approaches to information security training. They need to ensure that this very important preparedness mechanism does not degenerate into a check-the-box exercise.
5. Prompt processing of threat intelligence
A variety of intelligence tools and resources are at the disposal of organizational teams focused on gathering and processing threat intelligence. The challenge lies in the prompt processing of alerts and taking prompt action.
Organizations are often found wanting in the ability to follow through on the intelligence received from external sources. For example, a 2017 hack at Equifax, a credit reporting agency
that exposed the personal data of nearly 150 million people, could perhaps have been avoided if management had acted quickly on the intelligence received.
It is imperative that suitable governance structures and procedures are in place to ensure that threat intelligence alerts are properly logged and acted upon. The rationale for a decision to act, or not to act, also needs to be documented. Top management intervention can go a long way in instilling this threat management discipline.
6. Security audits and drills
One hallmark of a highly disciplined information security culture is the continuous review and rehearsing of an organization’s information security plan and recovery capabilities. Compliance requirements often mandate the conducting of information security audits and simulated practice exercises to identify and address deficiencies. Top management at exemplar organizations can take this a step further by requiring real time and continuous security audits and conducting extensive information security drills.