There are many reasons why cybersecurity programs are continuing to fail for organizations. These reasons, which usually revolve around a lack of funding, lack of resources, or a lack of dedicated and trained individuals, can generally be described as symptoms of a lack of understanding of how cybersecurity truly works, and how to implement it properly in the organization.
There is certainly a historical lack of institutional knowledge about cybersecurity in the commercial world. Before companies started attaching their internal networks and servers to the Internet, many only needed physical security protections for their data centres, computer rooms, and their workstations. The use of, and now reliance on, the Internet for all things related to communications and commerce has created a huge demand for cybersecurity professionals in the workplace; one that has not been adequately met. Demand far outweighs the supply, and there is a growing need for trained and skilled cybersecurity professionals.
Many cybersecurity professionals trace their careers back to the military or Department of Defense (DoD) training. Others began their careers in a technical track as a programmer/developer, system administrator, network engineer, or even working the help desk. Still, others are naturally inquisitive about computers and networking technology and these ‘hackers’ have learned about cybersecurity by breaking or tearing apart the technology in order to learn first how things work and then how to break things.
For those that did not benefit from growing up with and gaining hands-on experience as these technologies were emerging, there is the necessity of pursuing the expertise almost exclusively through education and training. The prevailing educational and training programs are mostly focused on the key technical areas related to software development, system administration, network engineering, and cybersecurity — emphasis on the technology.
While most educational and certification programs include some overview of the history, mission, and evolution of cybersecurity as part of the curricula, what is often lacking is adequate training on the overall principles of cybersecurity. The tendency is to focus on the immediate, tactical needs of how to deploy systems and applications in a secure manner, in an attempt to secure the entire enterprise network. There’s a lot of ground to cover from a tactical perspective, as indicated by the CISO Mind Map, which shows an ever-increasing list of areas of things a cybersecurity professional needs to care about:
I am planning to publish #CISO Mind Map 2018 by end of April 2018. If you have any suggestions, please DM. Attaching the 2017 #MindMap as a reference. #infosecurity pic.twitter.com/2crMgBuAI2
— Rafeeq Rehman (@rafeeq_rehman) April 3, 2018
Unfortunately, these efforts occur often without an overall strategic examination of what, where, why, or how you are doing all the things you are doing. This fundamental disconnect is the actual root cause of why major breaches keep happening to companies, namely the lack of a strategic and process-oriented approach to cybersecurity.
Further, there is a lack of training on how to take the message to the right people in organizations, specifically executive management, business units, IT personnel, or end users. Compounding the problem is a tendency for their entire cybersecurity industry to be reactionary rather than proactive in its approach to providing cybersecurity ‘solutions’.
Cyberthreats continue to be highly sophisticated and companies continue to struggle to detect and respond to attacks when they occur. The endless cycle of newer and faster technology emerging, along with the ability to connect devices faster and in different places, continues to drive the attention of legitimate, tactical efforts to simply keep up with cybersecurity efforts.
The lesson to be learned from this latest wave of major breaches is that the current approach is not working. What is needed is a more strategic focus and understanding of the goals of cybersecurity as well as the responsibilities for every employee to do their part to assure the company is meeting its cybersecurity objectives.
Creating a culture of cybersecurity
A complete understanding of cybersecurity must be taught to every employee of every organization and must be explained in a manner that helps everyone understand their roles and responsibilities. Ultimately, it’s about creating a culture of cybersecurity in the organization.
A culture of cybersecurity means that everyone understands the overall goals of cybersecurity — whether it is to protect company secrets, customer data, research data, or even the reputation of the company itself. By gaining this understanding, each employee must be trained on their job functions and follow some set of rules or procedures that enable them to do their work within a boundary of cybersecurity. That is, they understand the significance of things they do or don’t do and how their actions impact the cybersecurity of the organization.
The message of security for the organization can be conveyed without getting into the technical specifics or using complex language that not everyone understands.
Start with a discussion of the need for a cybersecurity program and point to relatable topics, such as how:
- Technology resources are vital assets because they contain or process the information the organization needs to protect.
- Loss or misuse represents a significant risk to the organization (and you).
- Potential consequences for misuse, loss or compromise include:
- Disclosure of sensitive or regulated information
- Loss of competitive advantage and/or revenue
- Reduction in productivity
- Lost business due to disruption in operations
- Bad publicity and/or damage to corporate reputation
- Liability damages
- Loss of employment
Understanding the overall needs for a cybersecurity program also might include the following:
- The reasons why cybersecurity efforts fail within organizations, such as:
- Lack of corporate commitment to cybersecurity
- Lack of resources (people, money, time)
- Attitudes (“this will never happen to us”)
- Organizational structure — too many ‘silos’ with little cooperation
- The motivations of the attackers (why they would target your organization)
- The threat is real (just ask Equifax, the SEC, or Deloitte)
There is also a need to dispel some of the significant myths and misunderstandings when it comes to cybersecurity, including:
- Technology solutions alone WILL NOT make you secure
- Taking a bare-minimum approach to regulatory/compliance requirements IS NOT sufficient
- Security IS NOT a state you ‘achieve’ (for example, there is no such thing as ‘we’re secure’)
- “We implemented <insert security solution here>, so we are secure” (also known as ‘set it and forget it’) DOES NOT make you secure
The reality is that cybersecurity is more of a lifestyle or continuous event. And to be practicing good security means you understand there are activities involved in providing good cybersecurity that can be expressed in terms of a ‘lifecycle’. These activities, or steps, are continuously happening and evolving as technology and your business goals evolve.
These steps generally involve an assessment of where you are and what is at risk (a risk assessment). Once your risks are identified and quantified there is a need to develop a plan or strategy of how you want to get your overall risk to an acceptable level. Once the plan is established (and documented) you go through the phases of building and implementing the things that are required to meet your strategy’s objectives — this is where most of what we know as ‘cybersecurity’ is focused, namely: implementing a vast array of technical solutions; implementing and maintaining secure systems; and monitoring and maintaining the ‘secure’ environment.
The natural progression after the implementation phase is to measure how well your solutions are working compared to the goals set forth in your strategy — this is generally called the audit or assessment phase. The results of your periodic auditing should be fed back into your original planning/strategy documents to see if any changes need to be made to your strategic goals and then how you achieve those goals.
This overall lifecycle process might take place over the course of several months but might happen as quickly as several hours or days depending on the severity of the weaknesses discovered.
Following this lifecycle approach to cybersecurity does not mean that your organization will spend less money on technology solutions. Nor does it minimize what will be spent on education and training for your workforce. The goal is that you will be able to make an informed decision based on your understanding of the risks you face and spend your budget more wisely and effectively.
Tips on how to train your management
The need for continuing education and training for cybersecurity and technology professionals is well understood by most organizations. Many certification programs require ongoing training and/or continuing education to maintain the certification. Education and training funding or reimbursement are often part of an employee’s compensation package.
But what type of training and continuing education does your boss receive? Or their boss? Or your executive management?
Who is teaching cybersecurity up the ranks in your organization? Who is responsible for reporting on the status of your cybersecurity efforts to your executive management? Maybe it’s you. Maybe you have tried and failed. Maybe you have had nominal success.
Sometimes executive management is not listening to the people in their organization that have the best understanding of cybersecurity and what the company needs to be doing, or where to focus its efforts or budgets. More often, the message is not being properly communicated to management in a way that makes the need understandable, or the required actions clear. It’s not good enough to know the problems and what needs to happen if you can’t articulate them to the decision makers in your organization. In other words, if you are not part of the solution, you might be the problem.
Have you ever taken a speech class in high school or college or done any public speaking? The type of speech required to communicate effectively with your management is actually ‘persuasive speech’.
Persuasive speech is one of three reasons why we communicate to others (the other reasons are to teach or to commemorate) and it is the type of speech where you are trying to convince your audience to make a decision and often to take an action. In most companies, the action required is to spend money — either for more equipment, or for more staff, or to provide training for the staff.
There are several techniques for more effective communications that you can practice in order to improve your chances of helping your management understand the needs of your cybersecurity program, make the right investments in personnel, training, and technology, and hopefully will motivate them to become better educated themselves on the overall strategy of cybersecurity.
These techniques include the following:
Know your management
Knowing your management has a couple of purposes. It’s good to establish some sort of relationship, that often includes trust, but also helps to create an environment where you are recognized as someone that understands and is like them (not one of those ‘weird techie’ types).
Knowing your management also involves understanding what their likes and interests are, especially outside of the workplace, which might be helpful as you engage and practice some of the techniques described below.
Engage your audience
Work on establishing a comfortable interaction with your boss. Maybe engage in some conversation (helps to know them) such as asking about their family or latest vacation or golf outing.
Offer something about yourself such as a recent personal (or work) experience, or share that you enjoyed the latest corporate gathering. Get them talking and interacting with you and then ease into the purpose of your conversation.
Listen
This is probably the most important technique for effective persuasive communications. Listen to what your boss is saying so that you can gauge whether they understand you or not.
Listening involves not only verbal communication but non-verbal as well, such as body posture and facial expressions. Are they nodding their head in understanding? Are they leaning forward in their chair? Or do they look lost and a little bewildered.
Speak their language
As best as you can, you need to have the conversation in terms that your management will understand. They likely won’t understand a lot of the technical details of what you are talking about, but they should respond to a thing such as ‘this will cost us money’ or ‘we will lose customers if this doesn’t happen’.
Talking in business terms is a pretty common language for bosses, and you should have some awareness of what aspects of the business are of most interest to your boss. For example, it could be profit and loss, gross revenues, client satisfaction, beating the competition, or preserving the corporate image.
Tell stories
This is where knowing your management comes into play. Telling stories or making analogies is an attempt to get your point across but in a way that your boss will understand. An example might be that you know your boss likes baking but isn’t really a big fan of sports. Trying to convey your message with a sports analogy might not make a whole lot of sense; rather try to make an analogy to baking mentioning things such as having the oven at the right temperature; having the right equipment; following a recipe; or how to test to see if the baked good is done.
Making an analogy to something with which your boss is familiar is much more likely to help them understand what you are trying to explain to them.
Simplify
There is a huge tendency for technical people to explain the technical details in excruciating detail, but most of the time this is unnecessary. It’s okay to provide an overview of the problem(s) and omit the details.
This can be challenging if you are really technical because you pride yourself on understanding the complexity of the situation. It’s okay to stick to the high-level or basics of the problem, and sometimes you can even oversimplify to the point of being technically inaccurate. That is also okay if you get the general point across successfully.
Don’t assume understanding
You might think you’ve done a great job at explaining the problem and have successfully used all of the techniques suggested here. That doesn’t mean you have accomplished your mission though.
Ask for feedback from your boss, or ask them to explain back to you what they think is the problem. Does it make sense? Do they understand the problem? If not, you will have to try again using a different technique, story, or example. Maybe you need more simplification or maybe less.
The key here is to be able to adapt and change your delivery on the fly so that the message is conveyed and you get the decision or action that you desire. Remember the old saying, “If at first, you don’t succeed, try, try again”.
Of course, these techniques are for effective communication regardless of your audience. You can practice them whether you are trying to get your boss to make changes or understand cybersecurity more strategically, or if you are trying to educate your team or your end users on good cybersecurity practices and hygiene.
Next steps
Cybersecurity is a moving target because the technology involved is changing so quickly.
There is a continuous and ongoing need for training on the latest technologies, trends, and cybersecurity solutions. But there is also a need for more management and executives to gain a deeper understanding of the strategic goals of cybersecurity and how to apply them most efficiently to their organization.
Adapted from original post which appeared on Peerlyst.
Jeff Man is a Senior Information Security Consultant at Online Business Systems.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.