Why strong leadership is crucial for cybersecurity
An effective governance model ensures that good cybersecurity and practices and procedures are maintained properly
In the movies, cyber-crime is often portrayed as a modern-day Western, with good and bad nerds shooting code at each other instead of bullets. The truth is far more mundane. Very often data breaches happen simply because employees are negligent or make mistakes.
According to a report from IBM and the Ponemon Institute, human error was responsible for nearly a quarter of all data breaches between July 2018 and April 2019. The best way to mitigate that risk is with a holistic strategy that addresses technology, people, practices and procedures.
Importance of strong leadership
Ensuring those practices and procedures are properly maintained relies on an efficient governance model, such as the one outlined in ISO/IEC 27014. This standard defines cybersecurity governance as the “system by which an organization’s information security systems are directed and controlled”. It requires strong leadership from the top of the organization. Ultimately, though, it is the job of all managers to implement the relevant policies and principles in their departments. Unfortunately, senior executives in some organizations continue to believe that cybersecurity is a problem for the IT Department, rather than a leadership issue.
An organization’s CEO plays an important role in defining the values of an organization. He or she has the power and influence to make cybersecurity an important part of the organizational culture. According to Carrick and Dunaway, “Employee Engagement arises out of culture and not the other way around”. No matter how good the strategy, it will not work unless personnel buy into it. “Culture eats strategy for breakfast” is a saying often attributed to the management guru, Peter Drucker.
In 2017, the consumer credit reporting giant, Equifax, disclosed that cyber criminals had accessed sensitive information about 145 million people, including social security numbers, birth dates and private addresses. The CEO’s response was to attempt to deflect blame onto a software provider and when that did not work, he pointed the finger at a lowly IT technician for allegedly failing to apply a security patch. Equifax’s handling of the data breach is often cited as an example of a weak cybersecurity culture, where leaders do not assume their responsibilities.
Building awareness
Lack of awareness about risk issues is another sign of a weak cybersecurity culture. It can be easily remedied with training and capacity building activities, which should start at the new employee induction stage. For example, some organizations give every new employee an information pack including short texts, video content and interactive quizzes about cybersecurity etiquette. An effective induction process also provides an opportunity for assessing an employee’s existing knowledge and risk assessment skills.
Many of these organizations also provide continuous training programmes that not only reinforce a set of desired values and behaviours, but also help employees to increase their knowledge and skills in this area. All staff usually take part, including managers, and the best courses are flexible enough to meet individual needs. In most organizations there are very different levels of skills and knowledge. Online learning is a technique that is often used as it offers the flexibility to provide beginner, intermediate and advanced options to staff with different levels of knowledge.
Online courses are a good way of providing general users with security awareness training that explains and reinforces the organization’s security policy, including such topics as best practices (e.g. file sharing), software security and incident reporting (emphasising the importance of transparency). Other possible modules might include physical device security, mobile security, especially for those on business trips or working from home, and case studies to make it real. Technical users are given access to more in-depth, role-based training modules based on the functions and processes of the organization. Again, the best programmes reinforce the importance of transparency, include case studies, and explain reporting and escalation procedures.
International standards
ISO/EC 27014 recommends training and awareness programmes to establish a positive information security culture. The standard recommends roles and responsibilities for executive management and boards of directors in all types and sizes of organizations. The objectives of the standard are to “align security program and business objectives and strategies, deliver value to stakeholders and the board, and ensure information risks are adequately managed”. The standard defines six overarching governance principles, which are defined as “accepted rules for governance action or conduct that act as a guide for the implementation of governance:
1. Establish organization-wide information security
2. Adopt a risk-based approach
3. Set the direction of investment decisions
4. Ensure conformance with internal and external requirements
5. Foster a security-positive environment
6. Review performance in relation to business outcomes
It also defines five governance processes, which are “a series of tasks enabling the governance of information security and their interrelationships”: evaluate, direct, monitor, communicate, and assure. Together, these principles and processes form the governance of information security.
