“A chain is only as strong as its weakest link.”
A recent study from IBM concluded 95% of successful cyber-attacks are the result of human error. Why is it that we’ve been treating better technology as the solution to cybercrime? People are the last line of defence for cyber-attacks within organizations.
The Role of Technology
Technology certainly does play a role in protecting companies, patching software and having security measures in place make cyber-attacks more difficult. Because of this, the status quo in the security world has been focused on creating better technology. For decades, it was declared we simply needed to buy better anti-virus and firewalls. But technology is only part of the solution.
The Role of People
As Facebook’s CSO highlights, more harm comes from behaviours, business processes and assumptions users have about cyber-security. To a room full of cyber-security experts at the Blackhat conference, Alex Stamos proposed relationships building and education as a solution to the ever-increasing cyber-crime.
“The truth is that the vast majority of harm comes from the simple problems that are difficult to solve, such as the rampant reuse of passwords.”
To accomplish this, individuals need to understand their role with cyber-security. There needs to be an ongoing conversation across departments. Business processes need to take cyber-security into account. How can organizations create pan-organizational conversation and awareness of security?
Best Practices for Organizations
To take tangible steps to incorporating cyber-security into an organizational culture, Fred Kniep from Compliance Weekly, an expert on cyber-security, created a list of best practices for organizations to implement.
1. Ensure a security representative is attending all board meetings
This requires a company to designate one (or several) individual(s) to own the security program. Secondly, that security must be prioritized at the very top of the organization. If the executives don’t recognize the value in cyber-security, it’s unlikely that the rest of the organization will.
2. Educate security representative on how to effectively communicate cyber-risk
Effective communication. The security representative(s) will need to be able to translate the technical jargon into concepts that other departments can understand.
3. Provide security representatives with business context
Fred is emphasizing that there needs to be a two-way conversation. The security representative needs to understand the pressures and motivations of the different departments.
4. Clearly differentiate between cyber-risk management and compliance.
Being compliant is a snapshot in time. Cyber-risk management is like managing any other business risk, it involves taking daily steps to get to a comfortable level of risk.
It’s Everybody’s Business
Ms. Smibert summarized this well in a recent interview with Ben DiPetro at The Wall Street Journal.
“Cybersecurity is not just an IT issue, it’s everybody’s business... You can’t just buy tools and hope they work; there are lots of processes and human elements to having a proper risk management and cybersecurity program. It takes training—and boards and executives need to attend and participate”
– Suzie Smibert, CISO, Finning International
Contributed by Kathryn Chamberlain. Kathryn is a business development officer at Beauceron and a Venture for Canada fellow. Kathryn holds an honours Bachelor of Commerce with a minor in Mathematics from Mount Allison University ('17). Her research interests include organizational behaviour and culture. She can be found on Twitter @_kachamberlain.
Image courtesy of Luis Deliz / Flickr. Used under Creative Commons license.