WIREDGOV

Blog posted by: Gary Warzala – SVP Chief Information Security Officer (CISO), PNC  (02 March 2016)

When thinking about cyber resilience, just how important do you believe the people in your organization are? All your people, from top to bottom?

You have heard the expression, ‘People, Process, and Technology’ a thousand times. But which is the most critical of the three when building a top-tier information security/risk management programme? The answer is people – always. And it’s vital to acknowledge that, in the world of cyber resilience, your people represent both your greatest vulnerability but also your most effective solution.

People are the determining factor between being prepared for a cyber-attack and ending up on the news pages. And it’s about all your people across the organization not only those working in the information security/risk management organization.

So, what does the human factor in cyber resilience look like?

Having tone from the top…

...in other words, having a clear and committed attitude from the Boardroom. In my view this is the single most important thing a CISO needs in order to develop an effective programme to manage cyber risks. If you don’t have this, then your executive team is just ticking the box in their ‘cyber commitment’, or they don’t understand the risks to their business, or perhaps they believe that they are immune.

Without tone from the top, the CISO – or whoever is responsible for building a cyber resilient organization – will typically end up isolated with minimal support from their peers. Budget and resources will always take a back seat to another business initiative, and it’s just a matter of time before the inevitable happens and everyone wonders how that could have occurred.

True tone from the top is when executives talk about security whenever they talk to employees; when executive teams ask for regular updates from the CISO, when they are curious about current cyber events and how it affects their company. It’s when the CISO meets regularly with the board of directors, or their risk committee, and is held accountable.

Having a culture of accountability

Do you have people in your organization who are managing information risks? I don’t mean just identifying risks, but actively, aggressively managing them. This means having competent people, throughout the organization who identify and assess information risk, backed by robust processes, learning, and governance. That also means being willing to have the difficult conversation about enabling the business and accepting residual risks associated with a product, service, technology, or acquisition.

Here are some very basic questions that you must be able to answer: do you have a culture of accountabilityin your business, because information risks reside and are owned across the business? Do you have a CISO, and do they know what they are accountable for? Is your business accountable for accepting risks and the consequences that could result if the risk were realized? If a breach were to occur, would there be a “deer in the headlights” look when determining who is in charge?

Things are never going to end well in a culture which lacks accountability and real information risk management.

Knowing what good cyber resilience is

This comes down to having an organization of people who are cyber aware, curious, ask the right questions and who are not just ticking the box.

And the most effective people in an organization, from the board to the lowest levels of the organization, are also realists. They know that, despite everyone’s best efforts, your organization will never be bullet-proof; they always prepare for the worst and understand that along with identifying risks and protecting the enterprise they will be called upon to detect, respond and recover from a cyber threat in the quickest and most efficient manner possible.

Even an organization with an enviable level of maturity in its technology and process capabilities knows it must continue to evolve at speed, to stay ahead of their business, technology, and their adversaries.

So you see, people are not only your greatest vulnerability; they also represent the most powerful force you have in finding solutions to protect your most sensitive information and to become a cyber resilient entity. We have to engage with all our people through regular, ongoing, short and compelling learning using some of the latest techniques to get that engagement – games, simulation, animations. We need ‘champions’ and mentors across the organization to build the resilient behaviours required to protect what’s most critical and valuable.

Without all of this it is just a matter of time before you’ll be expected to respond to a successful attack or significant data breach. Where would you rather be?

See our RESILIA™ section for more information about cyber resilience.

More blog posts in this series

Read the first post, What does good information security and cyber resilience look like?

Read the second post, What does good cyber resilience look like?: building a solid information security strategy