"Effective security is every bit as much about leadership and organizational culture as it is about encryption and authentication. Nowhere is this more true than in dealing with the insider threat. And the C-suite is where organizational culture is generated and the overall tone set … much more so than the CISO’s office. Think about it: where are the company secrets discussed the most? On whose laptops and mobile phones are they stored? Where are spearphishing attacks commonly directed? However, because of the factors noted above, the C-suite is the place where, more often than not, internal security gets swept under the carpet."
Tom Wills' blog piece focuses on internal threats, fair enough, but I maintain that the benefits of security awareness among senior management extend well beyond that domain. A security-aware management team:
- Demonstrates true leadership in this area, motivating and guiding the rest of the organization to manage risks to the organization's information assets plus those in its care;
- Understands the business benefits as well as the costs of security and hence is more likely to understand the risks and hence support appropriate, ongoing investment in information security;
- Appreciates the value and purpose of strong governance, for instance treating security policies, metrics and compliance activities as worthwhile management tools rather than mere red tape;
- Makes all manner of security- and risk-related decisions more rationally, discussing and weighing-up the pros and cons in full knowledge of the facts;
- Takes a strategic, holistic and proactive perspective on information security as an essential complement or enabler for the business (not just for compliance, risk management and governance); and
- Is the motive force driving security awareness throughout the organization and in its relationships with third parties, in other words fostering a genuine security culture.
If my little list seems excessive to you, turn it on its head. A security-ignorant, incompetent or careless management team is a nightmare, taking massive unwarranted and largely unknown risks, randomly pushing and pulling the organization around with no sense of guidance or propriety and generally failing to invest sensibly in security. 'Do as I say, not what I do' is an untenable but surprisingly common management position on security, sending out precisely the wrong message. Setting the wrong tone at the top, or staying resolutely silent on important matters, is hardly a recipe for business success in any sphere of management.
Personally, I'm convinced that mismanagement is largely to blame for most if not all of the major information security incidents that hit the headlines. Security unawareness, especially among management, is a significant risk in its own right.
As to how to treat the risk and make senior management security-aware, that's actually quite straightforward provided you have a clue about what makes senior managers tick, what motivates, interests and concerns them. It helps for instance if security awareness is a dialog, an active and engaging conversation or discussion with the audience on business issues rather than a broadcast or lecture on technical matters. Expressing security things clearly and sensibly to management and other business people in familiar terms - in plain English - is a tough challenge for some of my professional colleagues. It's one of the defining characteristics of an effective CISO.
I'll give Tom Wills the last word:
"Awareness is good: it’s the first step in making any change, and it looks like that’s starting to spread when it comes to the insider threat. To follow through and make change actually happen … for organizations to get back ahead of the curve on security, every one will have to get outside of its own comfort zone, starting at the top."