When some people say they don’t know what to do around cyber, you might want to ask them where they’ve been for the past 10 years…
For several years, I’ve been intrigued by the lofty idea some cybersecurity professionals seem to have that their job is to convince others: Convince users that they need to do certain things to protect themselves and their data; Convince the board that they need to invest more to protect the company, etc.
There is also the prevailing sentiment in the cybersecurity communities that these are rational arguments, to be won by facts and figures.
Somehow there seems to be a feeling that employees don’t know what to do about cyber and the board doesn’t understand. They need to be educated or trained about it; it needs to be explained to them and cybersecurity needs to be brought to their level – up or down.
Too often the argument is framed in technical terms, regardless of the target audience and the business environment and culture in which they operate.
This approach is flawed on two levels in my view.
First, I think the argument that employees and leaders need to be cyber educated is losing ground and credibility. The last decade has seen a relentless avalanche of cyberattacks on all sorts of levels – personal and professional alike. Most business communities would have already been exposed to some of these incidents and would have accumulated a wealth of knowledge about what they mean and how to deal with them.
Major organizations – and public agencies – have cybersecurity practices and have conducted security awareness campaigns in one form or another for the better part of the past two decades.
Frankly, when some people say they don’t know what to do around cyber, you might want to ask them where they’ve been for the past 10 years…
Basically, we have to ask ourselves why the messages that cybersecurity professionals have collectively tried to get across over the years don’t seem to leave a mark.
My opinion is that beyond the technical aspects that I mentioned above, we have also formulated the messages in a way that is too functional and too rational, when in fact it is essentially a cultural situation.
You have to assume – and this is my second point – that it may be cognitive biases and an emotional attachment to the company and its values that require a different approach.
The key here is to find ways to embed cybersecurity – and business protection in general – into the cultural fabric of an organization. It’s not something that cyber professionals can design themselves and push from the bottom up or sideways: to a large extent, it should be seen as coming from the top.
Basically, it’s a natural human instinct to protect what’s important to you: Your home, your children… And employees, like managers, can no longer say they don’t know what cyber risk is. , because of the avalanche of cases that we have seen in recent decades.
For them to react to it, cybersecurity must be framed in their culture and by their peers, and above all, in the real context of their profession; it cannot come from a foreigner like the CISO – or to a lesser extent the CIO.
To put it negatively and forcibly, you can spend as much money as you want on cybersecurity awareness if people see managers and senior executives constantly posting the rules – and being allowed to do so.
If the corporate culture is toxic and employees are dissatisfied with their jobs and their relationship with the company and its management, don’t expect cybersecurity and the protection of corporate data assets. business are on anyone’s radar; trying to build positive momentum around cybersecurity will be costly and probably won’t get very far.
Generally speaking and from a long-term perspective, we have to consider that these kinds of outreach programs, driven from the bottom up or sideways by CISOs and CIOs, have not worked well enough over the years. years, beyond putting – at great expense – a proverbial tick in the compliance boxes; they’ve been tried and tested in all sorts of formats over the past two decades, and we wouldn’t be here to write about them if they worked as they claim.
So things have to change and the first step is to stop repeating the mistakes of the past.
Senior managers should take the lead in security awareness and direct it consistently to their employees, in their own language and in their own way, at the level they deem relevant to the business.
If they don’t see the need or stay in denial, I think we’re past the point where we should expect cybersecurity professionals to “convince” them.
In the face of relentless cyberattacks, we have now entered the realm of corporate governance, and I think the board should just mandate it. And I consider it a duty for independent directors to ensure that this is done.
If skills remain an issue at this level, then the appointment of a cybersecurity specialist at Board level should be considered, but this is now the only way – in my view – for this to start moving forward.
About the Author
JC Gaillard is the founder and managing director of Corix Partners, and a member of the Chartered Institute of Information Security. Corix Partners is a London-based boutique management consultancy and thought leadership platform, focused on assisting CIOs and other C-level executives in solving the strategy, organization and governance issues of cybersecurity.
Feature image: ©Peshkov