When it comes to cybersecurity and regulatory compliance some things never change.
Despite the increasingly higher fines being levied and rising number of data breaches and more stringent government and industry regulations, too many C-level executives and senior-level managers remain out of touch when it comes to understanding data security, privacy, and regulatory compliance.
This makes it quite challenging for security professionals because, without C-Level executive leadership behind cybersecurity efforts, it is way too easy for these efforts to simply be shoved aside. Who wants to have to deal with threat modeling new services, checking contracts for security obligations, putting in place good access control, or making sure applications are developed as securely as is reasonably possible? All these things do is bog projects down…
Of course, if an organization wants to remain secure such measures are essential. But the natural tendency of people and teams is the same as water: it’ll travel the path of least resistance unless guided otherwise. When it comes to cybersecurity, it’s guided not by riverbeds or plumbing but executive leadership. This is why a recent survey is so concerning.
According to the 2016 State of Compliance survey (conducted by Liaison Technologies) nearly half of the C-level executives and senior-level managers don’t know for sure what information security and privacy regulations apply to their organizations. About 500 executives and senior-level managers took part in the survey.
Additionally, and nearly as concerning, about 25 percent of survey respondents reported that they are not sure who is responsible for security and compliance in their organization and about half don’t think their data is secure in the cloud.
This kind of senior leadership and cybersecurity disconnect should surprise me, but it doesn’t. In the 2015 US State of Cybercrime Survey, conducted by PwC, CSO magazine, the CERT® Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service found that 28 percent of respondents don’t make any presentation to their board of directors and 26 percent (one in four) have a CISO or equivalent, present to the only board annually.
That means about 30 percent of respondents said their senior security executives were in regular contact with the board through quarterly cybersecurity presentations.
These are dismal results, of course. And they point to the long on-going discussion regarding the cybersecurity and business executive disconnect that exists – and why it is critical this disconnect be closed. As NSS Labs CEO Vikram Phatak told me for the story Top executives and cybersecurity: a fickle relationship? “Board oversight is intended to keep executives focused on those things that are strategically important to an organization. As such, board involvement means that executives will see cybersecurity as one of the long-term strategic objectives they need to balance and place value on it accordingly.”
Of course, none of this is easy, or most organizations would be doing this already. And ensuring business leadership and cybersecurity goals are properly aligned will be an important topic area covered here in the next year. In the meantime, there are lessons to be learned from other industry efforts when it comes to affecting culture change.
In this story, Aligning Cybersecurity with Corporate Culture, the author cites researcher Philip Sutton’s four shifts in emphasis that characterize the evolution of workplace safety culture:
- From an employee responsibility to a management responsibility.
- From post-accident coping to prevention.
- From nonsystematic management to whole system management.
- From risk reduction to risk elimination.
“When managers took up the safety mantle—establishing and enforcing safety protocols, providing worker training, and encouraging supervisors and employees to report hazards—accidents and injuries declined sharply. Eventually, most organizations established strong workplace safety programs aimed at eliminating risk altogether,” JR Reagan, global chief information security officer, Deloitte Touche Tohmatsu Limited wrote in his post.
There’s good reason to think, as Reagan said, that such lessons learned about risk reduction from other domains should be embraced – and they need to be embraced not just by security practitioners – because they know what is at stake and largely what needs to be done. And they’re placed at a disadvantage without the proper support being in place. Because without that leadership involvement, and even a culture of security, too often cybersecurity is just something that gets in the way and so it gets pushed aside.