Cyber resilience: we need to talk about… your people
Blog posted by: Gary Warzala – SVP Chief Information Security Officer (CISO), PNC (02 March 2016)
When thinking about cyber resilience, just how important do you believe the people in your organization are? All your people, from top to bottom?
You have heard the expression, ‘People, Process, and Technology’ a thousand times. But which is the most critical of the three when building a top-tier information security/risk management programme? The answer is people – always. And it’s vital to acknowledge that, in the world of cyber resilience, your people represent both your greatest vulnerability but also your most effective solution.
People are the determining factor between being prepared for a cyber-attack and ending up on the news pages. And it’s about all your people across the organization not only those working in the information security/risk management organization.
So, what does the human factor in cyber resilience look like?
Having tone from the top…
...in other words, having a clear and committed attitude from the Boardroom. In my view this is the single most important thing a CISO needs in order to develop an effective programme to manage cyber risks. If you don’t have this, then your executive team is just ticking the box in their ‘cyber commitment’, or they don’t understand the risks to their business, or perhaps they believe that they are immune.
Without tone from the top, the CISO – or whoever is responsible for building a cyber resilient organization – will typically end up isolated with minimal support from their peers. Budget and resources will always take a back seat to another business initiative, and it’s just a matter of time before the inevitable happens and everyone wonders how that could have occurred.
True tone from the top is when executives talk about security whenever they talk to employees; when executive teams ask for regular updates from the CISO, when they are curious about current cyber events and how it affects their company. It’s when the CISO meets regularly with the board of directors, or their risk committee, and is held accountable.
Having a culture of accountability
Do you have people in your organization who are managing information risks? I don’t mean just identifying risks, but actively, aggressively managing them. This means having competent people, throughout the organization who identify and assess information risk, backed by robust processes, learning, and governance. That also means being willing to have the difficult conversation about enabling the business and accepting residual risks associated with a product, service, technology, or acquisition.
Here are some very basic questions that you must be able to answer: do you have a culture of accountabilityin your business, because information risks reside and are owned across the business? Do you have a CISO, and do they know what they are accountable for? Is your business accountable for accepting risks and the consequences that could result if the risk were realized? If a breach were to occur, would there be a “deer in the headlights” look when determining who is in charge?
Things are never going to end well in a culture which lacks accountability and real information risk management.
Knowing what good cyber resilience is
This comes down to having an organization of people who are cyber aware, curious, ask the right questions and who are not just ticking the box.
And the most effective people in an organization, from the board to the lowest levels of the organization, are also realists. They know that, despite everyone’s best efforts, your organization will never be bullet-proof; they always prepare for the worst and understand that along with identifying risks and protecting the enterprise they will be called upon to detect, respond and recover from a cyber threat in the quickest and most efficient manner possible.
Even an organization with an enviable level of maturity in its technology and process capabilities knows it must continue to evolve at speed, to stay ahead of their business, technology, and their adversaries.
So you see, people are not only your greatest vulnerability; they also represent the most powerful force you have in finding solutions to protect your most sensitive information and to become a cyber resilient entity. We have to engage with all our people through regular, ongoing, short and compelling learning using some of the latest techniques to get that engagement – games, simulation, animations. We need ‘champions’ and mentors across the organization to build the resilient behaviours required to protect what’s most critical and valuable.
Without all of this it is just a matter of time before you’ll be expected to respond to a successful attack or significant data breach. Where would you rather be?
See our RESILIA™ section for more information about cyber resilience.
More blog posts in this series
Read the first post, What does good information security and cyber resilience look like?
Latest News from
The Four Dimensions of Axle Car Hire18/06/2021 13:20:00
Blog posted by: Tom young – Commissioning Editor, ITIL Core, AXELOS, 16 June 2021.
Demonstrating programme value through benefits17/06/2021 13:20:00
Blog posted by: Martin Stretton – Transformation Programme Director, NFER, 15 June 2021.
Project management skills in IT and cyber security14/06/2021 13:20:00
Blog posted by: Jason Dion – Dion Training, 11 June 2021.
Service Robotics and ITIL 4: enabling customer experience11/06/2021 13:20:00
Blog posted by: Mauricio Corona – Chairman, BP Gurus, 10 June 2021.
These aren’t just any outcomes…these are MSP outcomes of benefit10/06/2021 13:20:00
Blog posted by: John Edmonds – PPM Portfolio Development Manager, AXELOS, 08 June 2021.
How to move from project to programme management08/06/2021 13:20:00
Blog posted by: Andreea Iuras – Biopharma programme/project manager, 04 June 2021.
How focusing on user experience in ITIL 4 leads to value07/06/2021 13:20:00
Blog posted by: David Billouz – CEO, Ociris, 03 June 2021.
ITIL 4 Strategic Leader: for IT strategy planning today01/06/2021 13:20:00
Blog posted by: Chandramohan Sridhara – ICT Architect, 28 May 2021.