So, you’re finally convinced that this “cyber security thing” is not going away. Now what? Well, there are many ways to go about this: On the one hand, you can take ownership of the problem and address this clear and present danger to your business, or, on the other hand, you can “lie” to yourself, throw the ball over the technology wall, and assume that everything is taken care of! You would be in good company.
You see, many executives are tricked into thinking cyber security is a technology problem. Far from it. Perhaps it is wishful thinking, or, given the high-tech nature of the risk, an honest misunderstanding of the issue. It doesn’t matter: The end result is the same. Cyber security is not a technology problem. It is a business problem, and most importantly it is a people problem.
To understand this better, consider for a second the actual role that Information Technology (IT) plays in your world. The role transcends all the “crucial” and “essential” adjectives that describe your IT. And, it holds true no matter what your business is, no matter what size company. This role is the same for everyone, and it is a simple one: IT generates Value. It does so a myriad different ways depending on the business you are in, from the actual delivery of goods to clients (e.g. software businesses, data businesses, media and technology businesses etc.) to complementing, enhancing, and realizing the mission and vision of the company (law firms, manufacturing, logistics, healthcare, etc.)
Why is understanding the role of IT as a value creator important? Because the priorities of the IT function and the priorities of the cyber security function are at odds. Cyber security is about managing risk. IT is about creating value. Think of it this way: IT is like a banker. Their goal: Create value for the bank’s shareholders. Take risks, underwrite those loans, develop creative financial instruments, do whatever it takes to generate value. Cyber security is like the regulators. Their concern is with the viability of the institution, the risk to the system, the possibility of failure. You can easily see, I hope, that you cannot have the regulator (cyber security) report to the banker (IT).
Understanding that you need to segregate these two functions is the first step. The next pitfall is understanding the real problem that your cyber security function is trying to solve. Frequently, cyber security is thought of as a checklist exercise: Get the right firewalls, the right antivirus, establish a set of policies and procedures, and you’re all set. Do it and forget it. Nothing could be further from the truth. To be sure, there are technology elements in deploying the right defense-in-depth strategy for your company, but stopping there is treating a continuously evolving problem with a solution that will probably be obsolete by the time you finished reading this article. Managing cyber security is managing a chronic condition. Both the condition and the medicine applied will change and adopt with time. Remember: The real problem you’re trying to solve is how to manage cyber security risk. A risk that continuously changes as threats and technologies change, and – just as importantly – a risk that you mitigate based on your risk appetite that will also change based on market conditions and business priorities.
Which brings us to the real crux of the issue: People. In 2016 ISACA published the top three cyber security threats facing organizations in that year. They were, in order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent Threats. Excluding the advanced persistent threats typically targeted against large multinationals, governments, military, infrastructure and the like, the other two have one common element: People.
Social engineering is, essentially, a dangerous con game where hackers pretend to be trusted sources so that they can compromise your data. “Your data” can mean anything, from your personal financial data, your medical information, and your family’s most private records, to your business data. Social engineering can also morph into an extortion instrument above and beyond the typical ransom-ware whereby the attacker encrypts your data and will only release the key after payment. By compromising your personal information, the attacker may find personal vulnerabilities that they can use to turn you into an insider threat: A person who willingly or unwillingly commits cyber fraud from within the company.
The good news here is that once you realize that this is a people-centric problem you can shift your focus and give it the proper attention. You, for example, can institute a robust cyber security awareness program for your people. Repeated quarterly, semiannually, or annually, as your company size and needs dictate, cyber security awareness training has proven to be one of the most potent controls against cyber crime. Sensitizing people to the threats, the techniques, and giving them practical, realistic options results in a safer cyber-workplace, and safer employees. In turn, being aware of employee behavior, access, and personal and professional goals can give you enough advanced indication of possible insider threats before they turn into attacks.
The bottom line here is this: Cyber security is not a technology problem that you can delegate. It is a business problem affecting you personally and your people. It requires your engagement along with that of your organization as a whole: Executives, IT, Cyber, Risk, Compliance, and staff.
Nothing less will do, and nothing less should be acceptable to you and your company. The stakes are simply too high.