Originally published in the ISACA Journal
Within the last decade or so, cyberincidents have made headlines and have become top strategic risk factors for enterprises. These incidents have not spared even high-profile enterprises and government bodies. Despite significant investments in cyberdefense, these entities are still considered soft targets by attackers. It has become clear that the weakest link in the security chain is the human factor.
Negligence is a key aspect of human fallibility. Employees and contractors fail to heed security training, enterprise policies, and applicable laws and regulations, which may be regarded as mere check-the-box exercises at the time of joining the enterprise. Negligent insiders are responsible for 62 percent of cyberincidents.1
Consequently, cybersecurity management can no longer be treated as something distinct from the business or as merely an IT department issue. Senior leadership must enhance the enterprise’s cybersecurity strategy by ensuring a security risk-aware culture and working with employees, contractors, regulators, peer organizations and third-party suppliers to reduce the risk of cyberincidents. Ownership of cybersecurity risk at the top helps secure the trust and confidence of all stakeholders while setting the appropriate tone.2
Intra- vs. Cross-Organizational Cybersecurity Management
The growing number of insider threats, the expanding regulatory requirements to safeguard personal and sensitive data, the complexity of responding to changing attack vectors, and the pressure created by these circumstances demand a shift in cybersecurity management from intraorganizational to cross-organizational. In cross-organizational cybersecurity management, the sharing of threat intelligence is of paramount importance.3 This includes information that can mitigate insider threats, such as background checks to determine credit rating, employment history and criminal convictions. Intraorganizational cybersecurity management, in contrast, caters to a noncollaborative and independent type of security management,4 which leads to a siloed approach and enables insider threats to materialize and expand effortlessly.
The Human Side of Organizations
The human work motivation and management Theory Y proposes an environment in which leading by example extends respect, dignity and inspiration to employees, encouraging them to become ethical and disciplined in accepting and conforming to the enterprise’s security culture.5 In contrast, Theory X takes a cynical view of human nature and leads to an adversarial relationship between leaders and employees.6 Social learning theory suggests that weak leadership is to blame for an apathetic and uncooperative workforce; thus top management should be held accountable for the security culture, ensuring its acceptance by articulating its core ethical values and principles through verbal expressions and reminders.7
Consider the example of a security audit conducted in a Theory X vs. Theory Y enterprise. In a Theory X enterprise, there is a bureaucratic chain of command. The auditor discovers a problem and reports it to the information security officer. The security officer passes the information on to the department head, who, in turn, informs the team leader of the non-compliance issue. The team leader summons the employee or employees closest to the source of the problem. This creates a confrontational environment because the employees may have been unaware that their activities were being audited.
In a Theory Y enterprise, the auditor collaborates with the relevant employees when setting the objectives of the audit and engages them directly when a problem is discovered, thus enabling them to own and address the problem. The auditor’s report still climbs the official ladder, but by the time it arrives at the top, the employees have already taken the appropriate steps to mitigate the issue. Employees appreciate feedback from the top and recognize that the enterprise is not interested in punishing them. Such an up-front approach creates mutual trust, respect and an improved security culture.
Conclusion and Recommendations
Most enterprise leaders are not experts in cybersecurity management, but such expertise is not required to make effective decisions. Leaders should take the following steps:
- Train employees properly, and make sure that they are aware of proper procedures. This goes a long way in mitigating cybersecurity risk and improving the enterprise’s security posture.
- Integrate human resources management processes into the cybersecurity strategy to identify and address any potential insider threats that could lead to data breaches and result in regulatory fines, damage to business reputation and financial losses. The motive is not always financial gain; it could be vengeance on the part of a disgruntled employee or contractor due to a denied promotion, unfair treatment or poor working conditions. Although malicious acts constitute only 23 percent of all incidents, their impact can be far reaching.8
- Create a security culture that belongs to everyone, articulate security goals and monitor the enterprise’s security posture from the outset. An enterprise’s security culture dictates the behavior of its employees and the enterprise’s success in sustaining an adequate security posture.
- Ensure that the security culture is inclusive and permeates all parts of the enterprise.
- Foster transparency, develop trust and enhance communications in both directions (bottom up and top down), which will facilitate collaborative ideas, better coordination and positive results.
Nevertheless, ownership of cybersecurity risk at the top is key to getting the security culture right and fostering the desired security behaviors.
“AN ENTERPRISE’S SECURITY CULTURE DICTATES THE BEHAVIOR OF ITS EMPLOYEES AND THE ENTERPRISE’S SUCCESS IN SUSTAINING AN ADEQUATE SECURITY POSTURE.”
The views expressed in this article are the author’s views and do not represent those of the organization or the professional bodies with which he is associated.
- Ponemon Institute, 2020 Cost of Insider Threats Global Report, USA, 2020, https://www.proof point.com/us/resources/threat-reports/ 2020-cost-of-insider-threats
- Bandura, A.; “Social Cognitive Theory: An Agentic Perspective,” Annual Review of Psychology, vol. 52, February 2001, https://www.annualreviews.org/doi/abs/ 10.1146/annurev.psych.52.1.1
- Abiteboul, S.; R. Agrawal; P. Bernstein; M. Carey; S. Ceri; B. Croft; D. DeWitt; M. Franklin; H. Garcia Molina; D. Gawlick; et al.; “The Lowell Database Research Self-Assessment,” Communications of the ACM, vol. 48, iss. 5, May 2005, http://dl.acm.org/citation.cfm?doid= 1060710.1060718
- Settanni, G.; F. Skopik; Y. Shovgenya; R. Fiedler; M. Carolan; D. Conroy; K. Boettinger; M. Gall; G. Brost; C. Ponchel; M. Haustein; H. Kaufmann; K. Theuerkauf; P. Olli; “A Collaborative Cyber Incident Management System for European Interconnected Critical Infrastructures,” Journal of Information Security and Applications, vol. 34, part 2, June 2017, p. 166–182, https://www.sciencedirect.com/science/article/abs/pii/S2214212616300576
- McGregor, D. M.; Human Side of Enterprise, McGraw-Hill, USA, 1957
- Op cit Bandura
- Op cit Ponemon Institute