A few months ago, I attended an IT workshop on cyber security. For a security veteran, listening to the IT professionals talking was like taking a step back in time. “Why can’t we get the attention we deserve in the Board room? Why does the C’ suite underestimate our value? Why don’t the CEO, CFO, COO appreciate the importance of cyber security? We need more finance, more technology. Don’t they understand the risk? We need to increase the fear factor.”
No, No, No!
Foremost, the ‘fear factor’ has historically proven a poor way of selling security, making it a grudge purchase. Moreover, at executive level, ‘risk is just risk’ – it doesn’t matter where it emanates, it’s about how the organisation controls and manages it for commercial gain, in line with the business risk appetite.
From my personal experience of applying an ISO 27001: 2018 Information Security Management system during my tenure as Managing Director of a multi-award-winning security integrator, I can confidently state cyber security is not an IT problem. With the increasing convergence of the physical and digital world, it remains a security problem and a business issue.
Cyber security is assumed an IT department problem because it focuses on defending computer systems and the digital infrastructure from attack or misuse and data centres, websites, programmes, servers and accounts, all of which are vulnerable to cyber attacks. However, it is a lot more complicated than merely deploying technology, as the threats are numerous, varied and dynamic. That’s not to decry the necessity of virus-protection software, analytics and robust firewalls.
Company culture
Cyber security shares a symbiotic relationship with physical security. As such, it sits within the far-reaching Information security management discipline which concerns all an organisation’s information assets, whether they are digital or physical, or whether an attack manifests itself virtually or physically. Accordingly, it is not the problem of an individual or department, but more of a critical business issue; which can have a significant financial impact, and consequently the responsibility of every employee from the ‘C’ suite to the shop floor. The strategic value of security must permeate throughout an organisation by cultivating and embedding a culture of security awareness, and making it a business priority based on sound management, training and communications.
A security-aware culture will enable organisations to adapt to the evolving environment, while staying focused on the primary objectives, by reducing risks to an acceptable level and increasing resilience considered an essential executive business strategy.
Security awareness is all about changing employee conduct, substituting high-risk behaviours for required outcomes to reduce and mitigate security risks to the organisation. For instance, employees recognising security threats and vulnerabilities by identifying someone asking seemingly innocent questions, or overlooking small security misdemeanours, or even suspiciously following them. As well as this, it’s crucial employees know how to respond to breaches; who to notify, but also ensuring their adherence to security policies and the consequences of failure to comply.
Security professionals have grown to appreciate the value of an active security culture. It has been described by the Australian Government publication, The Insider Threat to Business (2010), as:
- Awareness and ownership – an organisation’s individuals and teams understand the security threats and vulnerabilities and accept their actions can affect the risks, and appreciate security is an integral part of the organisations’ business.
- Compliance and reporting – employees take complying with security policies and procedures, and the reporting of security breaches, as standard practice.
- Communication and challenge – all employees are familiar with the rationale behind the security measures and are confident to challenge others if they are not complying with security requirements.
- Senior sponsorship and enforced disciplinary procedures – senior managers place and demonstrate a high value on security, dealing consistently and rigorously with security breaches, according to well-established guidelines.
- Discipline and offering incentives – sensitive access or information is restricted unless there is a definite requirement, and rewarding employees for ideas for improving security and reporting security breaches.
An embedded security culture complemented with the appropriate security processes and procedures raises staff confidence and awareness to tackle a diverse range of criminal activities. This can be anything from theft and fraud prevention to espionage and terrorism, and empowers them to undertake the appropriate corrective action to alleviate the risk. Furthermore, it will help counter a disproportionate reliance on technical security measures and reinforce the importance and value of adhering to security policies and procedures.
Security leadership
Without doubt, leadership is a cornerstone of good business, with strong security leadership fundamental if one is to develop a security culture to aid resilience and in crime management. The security lead needs to understand risk and have security knowledge to develop business-friendly security policies and processes in conjunction with other business units. Yet above all, needs to be a competent manager vested with the requisite management skills; the ability to plan, organise, direct, coordinate and control, and all these functions entail from a security perspective.
Equally important is effective communication. The ability to converse and exchange information, ideas and instructions throughout the organisation and command the respect of both superiors, subordinates and peers, is vital to nurturing and building alliances on mutual respect for ability and subject knowledge. Furthermore, security leaders must develop good but ethical relationships with external bodies, being flexible on small issues but dogmatic in matters of morality and legality.
Achieving a dynamic security culture relies on strong leadership and communication to instil expected behaviour through persuading and explaining why this is in each person’s interest. Get this done and you are well on your way to adequate security in both the physical and virtual realms.