Top Management and Cybersecurity – Sometimes you just need a better strategy

As a CISO, you’re likely to have put forward many plans to improve the security posture for the users of your organisation.  Much of the time, you get Executive sign off and roll out whatever initiative it might be. The aim of your program is to help users understand the need for good cybersecurity practices, protect themselves better, and improve overall cyber protection for the company in the process.  Your initiative might be something like enabling Multi-Factor Authentication (MFA) across the company or hardening password policies, but in reality, it could be any number of things. The important point is that it will only be effective if it is supported by the actions of users.

If there is one constant seen across most companies, it is that Executive teams are generally the worst when it comes to applying good cybersecurity habits.

Why is that?

Given the risks involved, you would expect that practising good cybersecurity hygiene would be a top-down approach, that the senior team would lead by example to influence the staff below.  Instead, it is often the reverse – where security and related functions have to battle to drive strong cybersecurity and risk management disciplines up through the organisation. This is especially true for small/medium size companies.

Usually, once the security team has the approval to implement policies for the entire company, getting the employees at the ground level is the easy part.  These staff do not have the influence or power to push back against the policies. Your CEO and Senior Executives do, however. It’s often a case of “absolutely, we need to get the entire company to follow best cybersecurity practices – just not me”. In smaller companies, in particular, these individuals often have enormous sway to do as they like, since they are instrumental to the company’s success.

To illustrate the point, here are two of the most common excuses CISOs will have heard over the years:

  • “Password policy is too complex.  I can’t remember these types of passwords, please make mine a 4-digit limit so I can remember it better”.
  • “Multi-Factor Authentication?  I just want to check my email! This takes too much time and is too difficult”.

And the list goes on.

It is, unfortunately, a common occurrence for an Executive to fall victim to a ransomware attack because they failed to follow security rules like MFA as they found them too burdensome. Executives often take then attitude and reasoning that “if anything stops me going at the pace I want to go at, it is just not happening”.

Why does it take an attack for some Executives to get serious about security? I’m sure this is a story everyone in leadership positions in cybersecurity can relate too.

So, what’s the fix?

Just for the record, cybersecurity awareness programs are really important, and there are all sorts of techniques that can help you get your message across. But while awareness is important, in most cases it’s just not enough.

Harvard Business Review sums up an excellent tactical approach to help solve this issue:

“How can a CISO work around a decision maker’s inattention? No one likes to be embarrassed, but negative feedback can sometimes be an effective remedy for inattention. Security teams should regularly try to break their own systems through penetration testing, and the CEO should be the biggest target. After all, that’s how outside hackers would see it. By making the CEO the victim of an internally initiated (and safe) attack, it might be possible to draw their attention to potential risks that already exist and motivate leaders to increase their investment in cyber infrastructure”.

While subjecting the CEO or other Executives themselves to pen testing is potentially a great idea, we should go even further. Hire an external pentest team to do an analysis.  Third parties will carry an extra level of gravitas and credibility to the findings.  Take the penetration test results and package them in a way that Executives will relate to – like attaching a loss figure to a real attack (should it materialise).  Tell them how much it would potentially cost the company were these vulnerabilities to be exploited.

But also – and this is the really important part – use the conversation as a trigger. After all, this shouldn’t just be about fixing the specific vulnerabilities you found. Use it as an opportunity to start a dialogue with decision-makers about the organisation’s true cyber risk profile and the role they MUST play in securing its survival well into the future.  Because remember – it’s a question of when, not if.

 

About the author

Todd Wade
Principal Consultant, CRMG
Former CTO Skechers (Europe)
Industry Specialism: Rapidly Scaling Startups, Cloud technologies, Retail
Area of Expertise: Cyber Security Executive Management, Technology Risk