Driving A Cyber Security Culture Into The Business
Does the value of enterprise security still need justification at the C-suite?
In today’s dynamic and real-time world, you should not have to go the extra mile to justify to senior executives to buy into the value of cyber security. Believe it or not, some managers still believe that the expense is not worth the hurry — tell that to the ex-CEO of Target. If this is the case, this article will allow you to have a productive conversation of the value cyber security brings to the core business … and I emphasize business.
The experts continue to tell us to read organizations’ annual reports, corporate governance documents, shareholder conversations and minutes and any other insights we can get our hands on, which are mostly public records. These assets will provide us with the insights of what’s driving an organization from the top down and, in turn, what the leadership team is thinking about. Most likely there is a cyber security component across the enterprise.
You will likely find that cyber security shows up in these documents, but mainly around specific attacks, recent attempts to penetrate systems and mission-critical applications. If you look deeper, you may see critical success factors around risk and the challenge to maintain effective cyber security governance/controls, how to protect IP and privacy, and safeguard personal information.
The State Of Cyber Security Culture
The recent ISACA and CMMI Institute research on cyber security calls out the urgency and the facts regarding the end-to-end value of having a cyber security culture from a design point, and not just as an afterthought:
“The importance of strong cyber security is no longer in question in today's harrowing threat landscape, but less clear is how organizations put a strong culture of cyber security in place, beginning with leadership from the board of directors and inclusive of all employees. The 2018 Cybersecurity Culture Report from ISACA and CMMI Institute shows there is much progress to be made, as 95% of global survey respondents identify a gap between their current and desired organizational culture of cyber security. The research shows that prioritizing investment in training can be a meaningful driver of strong cyber security culture, while annually measuring and assessing employee views on cyber security is among the other steps that can lead to heightened awareness and improved culture.”
The value that I am referring to comes down to reducing cyber incidents, essential customer trust and keeping your brand safe. This report has everything to do with how having a cyber security culture — from the time an employee is hired to wherever he or she moves throughout the company — should be seamless. That is what a cyber security-oriented culture does; it creates and develops an environment that is always supportive and understanding of the resources required at the heart of any project, acquisition, software/hardware update, as well as any transformation into the future.
The report also calls out that 27% of respondents state that “a lack of senior executive buy-in or understanding” is one of the ultimate factors handcuffing a valuable culture of cyber security.
To get executive buy-in and address any overarching concerns, it will most likely require real-time evidence that is measureable and quantitative, in order to show benefit across the business. In order to help make this point, cyber security professionals should:
- Clearly illustrate what’s working, what’s not and what needs to be done to fix it.
- Show leadership that you not only understand the risks to the business, but you know how to measure and communicate those risks. This demonstrates and predicts the impact it can have, allowing business decision-makers to sponsor the efforts.
- Give them the next actionable steps that need to be taken. If you must, present a plan that is easily consumable by the decision makers.
I am amazed that the report showed 29% of respondents who cited “a lack of funding” as one of the primary reasons for inhibiting a strong culture of cyber security. Funding should be the least of the challenges as cyber security is as important as the mission-critical applications that all enterprises continuously update (i.e., CRM, ERP, and even email).
It is time to move beyond buy-in from a theory perspective. It is becoming much easier to show the value to C-level executives and the business: The evidence by industry, by incidents, by what happens to a company when they sit idle is evidence enough.
There are third parties today that will conduct an audit so the board will get behind your efforts. Experts also say to work closely with finance. They can demonstrate that not every dollar spent on cyber security is a dollar that could cause chaos in the core business. At the end of the day cyber security is actually “free,” which is an idea that comes from a book by Philip B. Crosby titled “Quality Is Free: The Art of Making Quality Certain.”
See Related: “How To Build A Third-Party Risk Management Program”
Mostly what needs to be done is to make sure that every dollar being spent on cyber security is well spent and impactful in providing value. Unfortunately, most C-level executives are looking for evidence that the cyber security team in place is adding enough value to cause a compelling reason to act on, as well as mitigate, all security risks.
Bottom line is it is no longer enough to present the plan as a ‘nice to have.’ We are now in the era of ‘penetration’ from all angles — physical, data, cyber, personal, direct and indirect, and now IoT.
Prioritizing The Cyber Security Mindset
I think once we acknowledge the severity of the importance of cyber security it becomes part of the culture; this is no different than what we have been asking to do from a citizen perspective “see something, say something.” We need to think about having cyber ambassadors within our organizations, and if we must develop an incentive plan, so be it.
It is crucial to make sure everyone — from employees to vendors to partners to contractors — understands cyber security and the role they play within the enterprise. It needs to be part of the DNA and supported by the proper evidence that shows priority of the investment. It is top-of-mind for every CIO, and each CIO is working closely with the CFO to shift the culture change, with a target and completion date.
See Related: "What CISOs Are Sharing With Their Boards"
The C-level wants more than a suitable level of protection. They want assurance on their investment. By educating the C-levels with evidence to carry the mantra of the cyber security caravan, you can get the support and allies to work across silos and naysayers. You are always focusing on expressing the value of cyber security and the need to make the appropriate changes that ensure the proper protection for the organization’s key assets and data.
When we are making decisions around cyber security like where to invest, how much to invest and how to prioritize, C-levels want to have the evidence and insights just like they do for other types of risk.
“A key motivator for organizations delaying investing in their cyber security cultures is a lack of awareness about the attempted threats and ongoing risks, as well as a lack of awareness about the assets at risk to cyber security threats,” said Rob Clyde, CISM, NACD Board Leadership Fellow, and ISACA Board Chair. “However, individuals tend to underestimate the potential damage and overestimate technology’s ability to limit such incidents. Doing so puts their organizations at serious risk.”
The Core Benefits
My experience says that most C-levels do not want to base these decisions on the best guess regarding cyber security effectiveness. Business leaders need evidence-based metrics and quantifiable data. They want quantitative proof before they engage their time and organizational resources, regardless of how strong the qualitative argument might be.
It all comes down to the cyber security team to provide the evidence needed for senior business leaders to make decisions that affect the culture of cyber security, but security in general. Starting with senior level executives accepting the fact this is as important now as customer service. The adoption, investment and the socialization of the value of cyber security across the company goes without saying. It is a no brainer to approve the dollars spent on cyber security tools and resources consistently.
Does the value of cyber security need justification? The value is intrinsic, meaning it is self-evident that the value cyber security brings becomes strategic at the operational, managerial and leadership levels of the business. It will automatically pay for itself with a benefit payback that is at the core of any business; reducing cyber incidents, developing stronger customer trust and protecting the brand reputation.
See Related: “Security Advocacy: A Must for Today’s Enterprise”