The Cultural Disconnect - Gartner Security and Risk Summit

By Kevin Bailey, Head of Market Strategy.

Broken chain

I’ve just returned from two days of being fed analysis, recommendations, insights and competitive offerings, which can give you a headache let alone a need for the networking beers to come faster than on the schedule.

The summit theme was centred on: Smart Risk: Balancing Security and Opportunity, although from the interactions I encountered during the 2 days, Paul Proctor, Gartner Chief of Research, summed up the real exposure that organisations face when ensuring that their information is safe from the attempts to obtain and use it for unauthorized purposes. “There is a cultural disconnect”, which underlies the reasoning for sacking the security officer when there’s a hack, while senior management pat themselves on the back, having eradicated the cause, believing the new appointment will be the saviour and not allow future breaches.

Examples of this ‘cultural disconnect’ was evident throughout the two days of the summit:

  • Management – the leaders of organisations who do not realize that security is a continuous activity. So when the CISO asks for funds, management will comment ‘didn’t we give them money last month?’
  • Governance – is not a pure IT concern; it involves interested parties from all lines of business, as well as IT. But the LOB are not interested or want to join in, as they haven’t seen the value of their participation
  • Communication – is not at the appropriate level. Leaders within LOB are turned off by reports that discuss the malware types and DDoS attempts since the last report- they want abstractions that show the effects of breaches on business availability, service continuity, as well as the details behind individuals or groups where their data has been compromised
  • Perfect Storm – portrays the black clouds of doom that may attack on organisation. Budget allocation for ‘just in case’ has never worked. Governance committees need to define ‘Smart Risks’ when building business cases for information security. This is about balancing security and opportunity, to show how a secure system can enable business growth
  • Time – is a critical factor when implanting a change management process that centres on security policies, infrastructure and effectiveness. Delays to shore up defences, make secure information more readily available and acting on the CISO’s ‘gut instinct’ opens the door for the innocent or malicious decision by a single employee to pull the fabric from your business
  • Sum of the Parts – is more effective than relying on an individual. The CISO cannot wave the flag of security benefits by him/herself. Every employee needs to take control and responsibility for security and risk management. The alternative is that security is treated like regular check-ups at the dentist; it’s a nuisance, we don’t care and will avoid if it’s not a priority
  • Eating – the elephant in bite sized chunks makes more sense than swallowing it in one go. Organisations need to think about security and risk at an individual level- what Gartner calls a ‘People-Centric Security (PCS)’ approach. These ‘people’ are, at the end of the day, your customers, and will want answers about them (and their data) and not the health or losses your company are incurring when something goes wrong.
  • Dwelling – on the past creates a historical view of security and risk concerns. Remember a critical path can only be managed by the things that you can affect. So concerning yourself with nation state hacking may make a good read in the tabloid, but has no bearing on your business or your ability to recover from such a situation. Build Key Risk Indicators (KRIs) that could affect your business outcomes and, like any good disaster recovery plan, test these regularly
  • Cultural – differences can mean cultural differences. The 24/7 x365 always-on world we live in today is still comprised of hundreds of countries, billions of people, different faiths, dividing opinions on what’s acceptable and what’s not, amongst many other of the political, economic, social, legal and technological challenges and idiosyncrasies we all have to integrate with daily. So don’t assume a strategy that works for you will work 5,000 miles away, even if you are in the same organisations

Professor Dr Marco Gercke, Director Cybercrime Research Institute gave a thought provoking keynote that addressed the ignorance of senior management regarding security and risk. “How do you reach the top level, ministerial management? Simple- hack their email! They soon wake up and want something done”, said the professor. Scenarios and PowerPoint don’t work, you have to use a ‘War Games’ approach. But this wasn’t about trying to have senior management learn the dictionary of DDOS, IPS, IDS, DLP or other terminology spoken in the security operations centre. It’s about understanding:

  • What types of attacks are you expecting? System, Physical, Remote workers
  • What are your key assets that are at risk? Order processing, Customer support, R&D
  • Who do you get involved? PR, Facilities, HR, IT, Risk Management
  • What are your priorities? Customers, Employees, Infrastructure, Stock Market

Although you could protest that this is a level of balancing security and opportunity, its more about changing the culture of senior management to respond to a security attack and also for IT literate employees and stakeholders to adjust their communications so it addresses many (and more) of the topics identified above.

So rather than taking you through a chapter and verse of every session, I’d like to close this blog with two areas that, if adopted organization-wide, would help to produce a culturally balanced organisation and provide the right levels of security protection to enhance business opportunities.

People-Centric Security (PCS) – Start from the bottom up and think about how you would react if someone was using your information inappropriately. Now multiply this by the number of items of PII data you hold and reconstitute into new data- providing you a level of the shakes normally associated with a weekend of sleep deprivation, alcohol and loud music. So think of your customers, employees, stakeholders amongst other individuals and determine if their level of access to information is appropriate and if they understand their obligations to maintain a secure environment. If it was that easy, we would all be doing it, but it’s just like a waterfall- this water flows up from the individual to the business and not the other way round.

Infonomics – Yes, people rob banks, because that’s where the money is! So hackers attack computer systems because that’s where the information is! Economics is not just about monetary value, but areas of value that the holder of a commodity (money, possessions and in this case information) can exploit to gain an advantage. Every item of information (data) has a value (my PII is worth $1.35c), so assign a value to your categories/classifications, providing a basis upon which appropriate levels of security can be applied and also to be informed of the level of risk associated when the information has gone astray.