As a Cyber security professional, the one question I keep getting asked, and that I even ask of myself, is how come people just don’t simply understand the ramifications of it?
By this, I mean if we keep hearing stories about websites being hacked into, billions of passwords and credit card numbers being stolen, people paying the in thousands of dollars for Ransomware attacks, etc. why can’t people become proactive about it? What is holding us back?
When I use the term “people”, I am focusing in upon a very narrow segment of the population – those that are C-Level Execs and/or belong to a Board of Directors at a business or a corporation. If these guys are so great when it comes to managing the bottom line and financial risks, how come they cannot apply these same principles to Cyber security?
This is the exact same question that the United Kingdom’s National Cyber Security Centre (also known as the “NCSC”) is looking into as well. Here are some key answers that they found in their particular study:
*C-Level Execs and Board Members simply cannot talk about Cyber security in plain English:
As mentioned, yes they are great in talking about the bottom line and corporate takeovers, but they still cannot yet carry on the same level of conversation when it comes to talking about the Cyber threat landscape. The main reason for this: They simply just do not have enough of a technical grasp of the subject matter as of yet. In other words, they need to be able to understand this to the same level as they do about finance and HR issues.
*Cyber security is still viewed as a compartmental issue, not one that the entire organization faces:
In pretty much all of the business entities across the United Kingdom and even here in the United States, the issues of Cyber security is still being perceived as a problem that the IT Department should solve, and even have the entire responsibility for as well. To a certain degree this is understandable, because upper level management thinks that “Hey, if these guys can fix computers, then they should be able to fix Cyber security problems as well. Why should I get involved?” Well, the truth of the matter is that the C-Level Execs and the Board Members do very much need to get involved. This is so because the Cyber attacker of today is not just going after the IT Infrastructure – they are going after the data which crosses into other departments of the business or corporation as well. This includes primarily HR, Accounting, and Finance. To cure this problem, a sense of shared responsibility needs to be cultivated from within the organization. But this can only be instilled and driven by the leaders at the top of the food chain.
In order to get started to get C-Level Execs and Board Members to understand the risks that they face, they must be presented with five questions, and have the ability to answer them without getting any help or guidance from their IT Department:
*How do we defend against Phishing Attacks?
*How do we control the usage of privileged access?
*Do we have a comprehensive plan put into place for software patches and firmware upgrades?
*How do we know if our third party vendors are ensuring that the information and data that we share with them is safe and secure?
*What are the authentication methods that we currently use in our organization (for example, are we using 2FA?)
I will get into more details into these questions and how they should be addressed in a future blog. But when addressing these five key questions, the proverbial “C-Suite” needs to be fully responsible for understanding all of the Cyber security risks that they face, and to come up with a strategy as to how they should be dealt with.
This should not fall all squarely on the hands of the IT Department – rather, they job should be to simply recommend the tools and technologies that will be needed to support the new Cyber security plans and strategies.
In this regard, even investing in Cyber intelligence tools to help model the threat landscape would be a great perception mechanism for the C-Suite.
But yet, another crucial shift of attitude and mentality also needs to change immediately with the C-Suite as well. They often think that Cyber attacks are isolated incidents, and that it will never happen to them. But the truth of the matter is, they probably will fall victim as well.
In other words, they need to apply to the lessons learned from other victims before their own organization becomes one as well.
If this thinking is not fundamentally changed, any budgets or money appropriated for dealing with a Cyber based attack could be spent elsewhere in another department.
And, when the time comes when these crucial funds are absolutely needed, it will not exist. This will mean a loss of business continuity, damaged brand reputation, and worst yet, lost customers.
So, my advice to the C-Suite is get a comprehensive Pen Test done of your entire organization. Imagine yourself as the victim, and within a short amount of time (not days, I am talking hours) come up with ways as to how you can fully restore business operations.