What keeps the CISO awake at night?
Part 3 – The three layers to developing a security culture
The tenure of a CISO is famously uncertain and short. This is often because the CISO is the default owner of an organisation’s after the fact security issues. Organisations need to set, embed and cascade a security culture so that, like words through a stick of rock, security pervades the organisational culture, processes and commercial activities. Here is a three-layered approach to developing a security culture.
Layer one: Set the right tone from the top
We frequently see clients for whom security is considered the job of only the Security function. This is understandable, if something goes wrong, the search for a scapegoat will inevitably include the CISO. There are often organisational barriers to a security literate culture because the downside is that everybody else takes on an additional element of risk. When the Security function is seen to own security, all other stakeholders are in a much more comfortable position and don’t often feel the incentive to increase their personal exposure.
During the financial crisis, there were several occasions in which the Chief Risk Officer of a failed bank was hung out to dry either for personally failing to manage the risk of excessive organisational leverage, or for citing that managing the risk of financial products was everybody’s job (i.e. “it’s not just my fault.”) For risk, so it should be for security. The truth is that there is a tension between the true statement that managing security, and risk are the job of the entire organisation, while also acknowledging the fact that the accountability has to be centred on a recognisable individual.
Setting the tone from the top, therefore, requires the very senior management of an organisation, probably the CEO, to note that it is the responsibility of everybody, while also retaining the accountability in the CISO.
Layer two: Give Security power and use it
The second layer of creating a security culture is beyond tone and beyond policy, and involves embedding the principles of security throughout every day operations. Security teams have a habit of being somewhat apologetic in requiring other parts of an organisation to consider security in their processes. They don’t want to get in the way, they don’t want to stifle business activity, and this can lead to a rubberstamp process where security has been verbally considered but has not been embedded in the design of processes or activities. “Secure by design” requires certain processes such as Change, Release and Incident management to genuinely consider security in a way that’s more formal.
For example, a more secure and mature Change process will require formal sign off from the Security team, which has been imbued with genuine veto power, before enabling risky changes to be deployed. It is important, periodically, for Security to flex its muscles and to demonstrate that it will not compromise standards in order to remain friendly with the business when security principles are not met. This willingness to be unpopular may be uncomfortable to begin with but is required in order to change the culture. It is surprising how frequently we hear the refrain that Security has veto power, but never uses it.
This is not just an IT issue. Viewers of the TV lawyer drama Ally McBeal, may recall a scene in which one of the senior lawyers has departed from the firm, and the managing partner sets up a crisis management response whereby an air raid siren blares through the PA, all systems are physically locked down and doors are bolted to prevent the loss of sensitive client data, contacts and intellectual property. HR, employee retention, and commercial focus can also benefit from awareness of security principles, though maybe not so chaotically.
Layer three: in-person training
Embedding security into existing processes can become stale unless training is used at multiple layers of the organisation to keep staff up-to-date with the changing threat environment. It is well known that a lot of people find Computer-Based Training (CBT) to be low value and time-consuming exercises which do not work. Some senior management executives ask their Assistants to complete CBTs on their behalf. We have also seen the other end of the spectrum in which division heads, and the CEO, sit in the classroom with their teams to be trained on security awareness, not just at the level of their day-to-day activities at work, but also with tips that they can use in their personal lives. For example, at an asset management client, the chief exec of one of the business units, asked in front of their team, for specific help on how to secure their mother’s email and personal Internet usage with multi factor authentication.
This returns us to the topic of tone at the top. Senior acknowledgement, in public, of the importance of security as a responsibility for all, does not remove accountability for individuals. A three-layered approach, over time, can provide tangible improvements.
If you enjoyed this blog then why not read others in our ‘What keeps the CISO awake at night?’ series:
Part 1 – The biggest security threat to my organisation is our staff – what can I do?
How can I stop put Data Loss Prevention project from failing?