Why cyber resilience and security leadership must come from the top of organizations
- Published: Thursday, 12 August 2021 08:23
In this article, Rick Jones suggests that, rather than finding someone to blame when security measures fail, it is imperative that company executives and boards take the lead when it comes to cyber resilience and security.
The mass shift to remote working that we have experienced since the start of the COVID-19 pandemic has moved the first line of cyber defence / defense from office-based PCs to employees’ own devices and WiFi networks. Unfortunately, working from home seems to have been a catalyst for employee apathy, and simple mistakes have crept in due to people letting their guards down whilst in the comfort of their own homes and working on personal devices. One study reported that 49 percent of employees have admitted to adopting risky behaviour as they felt they weren’t being watched by IT teams, and 56 percent employers believe that their staff have picked up bad security practices while working from home. As a result, cyber security has never been so important, with malicious actors continuously taking advantage of weakened defences and click-bait phishing emails to gain access to corporate networks.
In what has been a period of significant and substantial change, employees need to realise that they have naturally morphed into becoming their own security compliance officer, and with hybrid working now emerging as the new norm, this ‘role’ is likely to continue. Away from the virtual perimeter of an office, IT, and security teams’ ability to continuously keep track of potentially malicious activity is greatly reduced, so workers need to remain vigilant of security threats and take responsibility for keeping on top of cyber best practices independently.
So, in this new landscape, who exactly should be held accountable for cyber security within an organization? Historically, the CISO and security operations teams have been held accountable to the CEO for cyber security and reporting any breaches. However, I would argue that, to some extent, this is now everyone’s job, and that accountability should be driven from the top by providing staff with the right tools, processes. and training.
Top tier decision making
Cyber security is a significant investment, which is why c-suite decision-makers should be involved in the process from the very beginning to ensure it drives benefits to the business. Often, senior leaders are only involved when a breach has incurred large financial or reputational losses, but this is too little too late. These days, a cyber incident should be viewed as ‘when’ rather than ‘if’ it will occur: with every organization a potential target for malicious actors it’s only a matter of time before each is hit. Therefore, those with decision-making responsibilities need to be driving a strategic and proactive, rather than reactive, cyber security strategy across their businesses from the top down. Despite the initial upfront cost, the ROI of cyber security tools and training is clear. It’s far better to spend money protecting your business now, before the financial and reputational costs are exacerbated.
With clear board investment (in both time and monetary terms), security will become part of the DNA of any organization. The board has the power to truly change its company’s culture and attitude towards cyber security by driving investment into the right training and resources so staff can work securely from anywhere, and leveraging the right security tools to bolster the activity of IT and security teams.
As well as coming from the top-down, a business’ cyber security approach should be developed collaboratively between decision-makers and IT and security teams. Both are working towards a shared goal of optimising the business and its processes, so communication and collaboration can enable the development of a cyber security strategy that best benefits the company and its goals.
While c-suite decision-makers are the financial gatekeepers within an organization, IT and security teams need to be their eyes and ears on the ground, helping to shape where this budget should be spent to maximise security and performance. What’s more, with investment in the right tools, IT and security teams can spend less time firefighting and more time improving existing processes, identifying possible new threats and communicating these to the wider company. The leadership team and IT experts both have individual roles to play in the development of a cyber-strategy, but with two-way communication they can ensure this strategy is streamlined and optimised for the business’ unique needs.
Protection from within
Investment in technology can only go so far when it comes to cyber security. At the end of the day, employees can pose the biggest threat to an organization, either through unintentional actions or by using unsecured devices to connect to the corporate network. With 47 percent of staff falling for phishing scams while working from home, they need to take as much ownership of cyber security as IT and security teams or the board. However, they first need to be educated on the threats their actions could pose and how they can best mitigate risk. After they have been provided with this information, they should be held accountable for reporting any suspicious behaviour, such as phishing emails or links, or anomalies they detect on the network, so they can be further investigated.
There is now such an overlap between employees’ personal and professional lives that employees should be made aware of the risks of accessing the corporate network from unprotected personal devices or of using the same password for their Facebook account and their work email account. People’s defences often drop when they are in their own environments, so staff need to remain aware and ensure they continue to follow the correct protocols and procedures, even when away from the watchful eye of the IT and security team.
Placing the responsibility for cyber security with one group is impossible, as each plays their own unique role in the process. While technical advice comes from IT and security staff, the board must be wholly bought into the idea of security in order for it to be adequately invested in and the correct culture encouraged throughout the company. Similarly, the wider employee base can be given all the tools and training available to them but at the end of the day they must take responsibility for how they safely access the corporate network and decide which links they choose to click on. The cyclical nature of this situation means that a business’ cyber defences may collapse if just one piece is missing. Each person in an organization must take responsibility for cyber security in order for a business to remain secure as the workplace evolves.
Rick Jones, CEO and Co-Founder, DigitalXRAID