As a Chief Information Security Officer (CISO), you’re likely to have put forward many plans designed to improve the overall security posture for the users of your organisation. Much of the time, you’ll receive executive sign-off and then roll out whatever initiative it might be. The aim of your programme, outlines Todd Wade, is to help end users understand the need for good cyber security practices, to protect themselves better and improve overall cyber protection for the company in the process.
Your initiative might be something like enabling multi-factor authentication across the company or hardening password policies, but in reality it could be any number of things. The important point to note is that it will only be effective if it’s supported by the actions of users. If there’s one constant seen across most companies, it’s that executive teams are generally the worst when it comes to applying good cyber security habits.
Why is that? Given the risks involved, you would expect that practising good cyber security hygiene would be a top down approach and that the senior team would lead by example to influence the staff below. Instead, it’s often the reverse – where security and related functions have to battle to drive strong cyber security and risk management disciplines up through the organisation. This is especially true for SME businesses.
Usually, once the security team has approval to implement policies for the entire company, ‘capturing’ the employees at the ground level is the easy part. These staff don’t have the influence or power to push back against the policies. Your CEO and senior executives do. It’s often a case of “absolutely, we need to ensure the entire company follows best cyber security practices – just not me”. In smaller companies in particular, these individuals often have enormous sway to do as they like since they’re instrumental to the company’s success.
Falling victim to ransomware
To illustrate the point, here are two of the most common excuses CISOs will have heard over the years: “Password policy is too complex. I can’t remember these types of passwords. Please make mine a four-digit limit so that I can remember it better” and “Multi-factor authentication? I just want to check my e-mail! This takes too much time and is too difficult.” The list goes on.
Unfortunately, it’s a common occurrence for an executive to fall victim to a ransomware attack because they failed to follow security rules like multi-factor authentication as they found them too burdensome. Executives often take the attitude and reasoning that: “If anything stops me going at the pace I want to go at, it’s just not happening.”
Why does it take an attack for some executives to be serious about security? I’m sure this is a story everyone in leadership positions in cyber security can relate to, but what’s the fix for all of this?
Just for the record, cyber security awareness programmes are really important, and there are all sorts of techniques that can help you put your message across. While awareness is important, in most cases it’s just not enough.
The Harvard Business Review sums up an excellent tactical approach to help solve this issue: “How can a CISO work around a decision-maker’s inattention? No-one likes to be embarrassed, but negative feedback can sometimes be an effective remedy for inattention. Security teams should regularly try to break their own systems through penetration testing and the CEO should be the biggest target. After all, that’s how outside hackers would see it. By making the CEO the victim of an internally initiated (and safe) attack, it might be possible to draw their attention to potential risks that already exist and motivate all business leaders to increase their investment in cyber infrastructure.”
While subjecting the CEO or other executives themselves to penetration testing is potentially a great idea, we should go even further. Hire an external ‘pentest’ team to do an analysis. Third parties will carry an extra level of gravitas and credibility to the findings. Take the penetration test results and package them in a way that executives will relate to – like attaching a loss figure to a real attack (should it materialise), if you like. Tell them how much it would potentially cost the company were these vulnerabilities to be exploited.
Also – and this is the really important part – use the conversation as a trigger. After all, this shouldn’t just be about fixing the specific vulnerabilities you found. Use it as an opportunity to start a dialogue with decision-makers about the organisation’s true cyber risk profile and the role they must play in securing its survival well into the future. Remember – it’s a question of when, not if.
Todd Wade is Principal Consultant at CRMG
Todd Wade is a senior technology leader, having served as CTO at Skechers (a major retail presence on the global stage), and brings a fresh perspective to the world of cyber security and risk as a direct result of being able to apply the senior executive’s lens to fundamental cyber risk management concepts