Does Your Corporate Information Security Culture Stack Up?
I recently read a post titled “Interesting Tweet: Do not underestimate human error” that referred to the following Tweet by Jason Specland:
The answer to ‘What idiot did this?’ is almost always a smart, well-intentioned person making trade-offs you hadn’t even considered.
This Tweet reminded me of a recent conversation I had with a Fortune 500 CISO. We were discussing a project involving his team during which he discovered shortcuts taken – shortcuts that would almost certainly have increased the security risk profile of the project. Why those shortcuts? The project manager focused on delivering the project within a specified budget. That focus on budget was based on a mindset she had adopted that rooted itself in the project management culture surrounding her at the firm.
Luckily, the CISO helped the project manager envision an alternative solution—one that did not embrace security shortcuts to achieve financial goals. Yes, the project came in over budget. But the CISO personally endorsed the alternative solution to ensure that data security wasn’t compromised. In the end, the organization delivered the project with the requisite required security assurances to stay off the front page of The New York Times as the latest corporate victim of a cyberattack.
We Need to Focus on Corporate as Well as Human Error
When analyzing cyberattacks, many discussions focus on the one employee that clicked on an email attachment or fell susceptible to social engineering. But human error extends to people, teams, and entire corporate cultures where critical cybersecurity decisions and assumptions are made that result in devastating consequences. Consider our project manager mentioned above and think about the cultural mindset that frequently pervades project management. It’s both amazing and frightening that so many project management teams continue to compromise security in the name of budget.
The Commission on Enhancing National Cybersecurity noted in its recent report that “companies are under significant market pressures to innovate and move to market quickly, often at the expense of cybersecurity.” Those pressures contribute to creating corporate cultures that value budgets and timelines over security—only to rue those decisions after the cybercriminal gets inside. “First-to-market” often preempts “secure-to-market.”
This is one of the key challenges facing CISOs across corporate America. So how do we reshape the corporate mindset to guarantee that data security becomes as critical a success driver for project management in a way that equals budget adherence and overall project timelines?
Change Corporate Culture to Instill Greater Security Awareness
In his book “People-Centric Security,” Lance Hayden writes about the importance of focusing on a broader corporate mindset rather than an individual mindset. To be successful, Hayden says, “You have to extend beyond individual behaviors and get to the root of generally accepted beliefs and assumptions held by the Group.” You must “tap into the programming that drives decisions.”
That “programming” didn’t happen overnight, and it isn’t going to change overnight either. For a CISO, hacking a corporate culture is significantly more complex a task than the typical hacking we read about every day.
Earlier this year, Accenture’s High Performance Security Report reinforced the necessity for “making security everyone’s job.” 98% of the 2,000 global security executives surveyed said that “for breaches not detected by the security team, the company learned about them most frequently from employees.” The report further states:
To build a culture of cybersecurity awareness, organizations should view state-of-the-art cybersecurity as an organizational mindset – one capable of continually evolving and adapting to counter challenging threats. To foster a culture of cybersecurity and digital trust, organizations must emphasize an adaptive, evolutionary approach to addressing all aspects of security on an ongoing basis.
How the NTSC Will Help CISOs Build Security-Centric Corporate Cultures
In 2017, the NTSC will address the importance of building corporate cultures designed to create “security aware” associates. We will leverage some of the best technology security minds in corporate and academic America with a view toward highlighting challenges and identifying best practices. The NTSC has also partnered with Aware Force, an innovative new service that helps corporations of all sizes position cybersecurity as “top of mind” for employees within organizations.
Because cybersecurity will clearly remain at the forefront for both the private sector and our government in 2017, we all need to address our corporate mindsets if we are to combat cybersecurity threats as a nation.
Patrick D. Gaul, Executive Director/NTSC