A Culture of Security

Many times in my decades of Cybersecurity I’ve been in a place where the Cybersecurity Program is in the skids.  The CISO leans over the table (sometimes I’ve been this CISO) and said inspirationaly, “what we need to do is build a culture of security”.

What they should be saying is that we need to assess risk vs reward all the time, and Cybersecurity is part of that risk.

Ok, great, how does that happen?

Too often this culture change develops into a series of slide ware demonstrations and training sessions given to the community at large and to developers and systems administrators in particular, emphasizing that they should think about security every moment, because the hackers are.  Sometimes, we put on fun events that try to teach cybersecurity lessons in a fun way themed around current threats.  While much better than the first method, I fear those events were more fun for and had a more lasting effect on the Cybersecurity department.

At the end of the day there is really only one way to drive Cybersecurity as a culture.  Making something the culture of the firm has big consequences for the way the firm operates, I.e. its goals.  A firm goal needs to be driven from the CEO down.  If we are really going to balance the risk vs reward of each decision in the firm, and Cybersecurity is an important part of risk, then that assessment needs to be taken at every stage, the same way profit and loss are.

This is usually not the case though.  Cybersecurity assent is given around the sr management table.  But, when Sr leaders go back to their teams, what is driven as a goal is to meet the P/L needs of the business time, and that only.  If Cybersecurity is considered, it is an after thought, and must be forced by the Cybersecurity organization.  This happens because there is no quantitative evaluation of the risk and what it would cost the firm to not deal with the security risk up front.  In other words, at the end of the day, Cybersecurity is not part of the bottom line.  For that, I blame ourselves for not quantifying it as part of the bottom line.

I’ve really only seen the culture of security work well twice.  The first was a firm where the guy responsible for security also reported to the CIO, who was also the COO, and became CEO and President.  The 2nd was myself as CISO when I reported to the COO/CIO.  That kind of support shows is “executive buy-in”.   That means that you can easily say that at each decision point the Cybersecurity risk will, can and is weighed, because your CIO/COO/President-CEO is asking just that question.  Usually, an evaluation of Cybersecurity risk is right up there with the business risk question of if we can actually make a profit off of this, and evaluated in the same way:  with dollars and cents.  If you can’t state your risk in this language, you have already lost your sr level battle.

So, all the PowerPoints and events are nice carrots, but at the end of the day you also need a stick, and one that you can measure.