There have been many, unfortunately way too many, significant and devastating security breaches reported recently by institutions that play a significant role in areas such as consumer credit reporting, the regulation of business and commerce, and even a leading provider of cybersecurity professional services. These disclosures have led to much reporting and online discussions of not only the cause(s) of the compromises, but how such highly visible (and targeted) enterprises could have allowed such incidents to occur, taken so long to detect, and ultimately taken so long to report publicly.
Asking the Right Questions
Organizations large and small are asking the usual questions: “Could this happen to us?” and “Are we vulnerable to and have we fixed this vulnerability?” They are also likely asking some fundamental questions about their digital security programs in general: “Do we have the right people with the right skills?”, “Do we have the right solutions in place?”, “Are we doing enough?”, or “Are we secure?”
Perhaps the most depressing and disturbing question that is being asked is “look at the major companies that were breached, if it can happen to them, what chance do we have of avoiding a similar incident?”
Making the Case for Digital Security
Virtually all the major incidents over the past years have revealed that each organization did not embrace the importance of digital security to the health and prosperity of the company, and therefore did not take the appropriate steps to build a culture of digital security appropriate to the overall mission or goal of the company. As details emerge about these recent compromises, it is highly likely that these companies too will reveal the lack of the proper approach to digital security in their organization.
Knowledge is Key
There are many reasons why digital security programs are continuing to fail so many organizations. These reasons, which usually revolve around a lack of funding, lack of awareness, lack of resources, or a lack of dedicated and trained individuals can generally be described as symptoms of a “root cause” lack of understanding of how digital security truly works, and how to implement it properly in the organization.
Understanding the overall needs for a digital security program also might include the following:
- The reasons why digital security efforts fail within organizations, such as:
- Lack of corporate commitment to cybersecurity;
- Lack of commitment due to lack of awareness of risks;
- Lack of resources (people, money, time);
- Attitudes (this will never happen to us);
- Organizational structure – too many “silos” with little cooperation.
- The motivations of the attackers (why they would target your organization).
- The threat is real (just look at the Marriott data breach, the SEC, or Deloitte).
There is also a need to dispel some of the significant myths and misunderstandings when it comes to digital security. These include things like:
- Technology solutions alone will make you secure;
- Taking a bare-minimum approach to regulatory/security compliance requirements are sufficient;
- Security is a state you achieve (e.g. there is no such thing as “we’re secure”);
- We implemented a security solution here, so we are secure (aka “set it and forget it”)
A complete understanding of digital security must be taught to every employee of every organization and must be explained in a manner that helps everyone understand their roles and responsibilities. There is ultimately a need to create a culture of digital security in the organization. A culture of digital security means that everyone understands the overall goals of digital security – whether it is to protect company secrets, customer data, research data, or even the reputation of the company itself. By gaining this understanding, each employee must be trained on their job functions and follow some set of rules or procedures that enable them to do their work within a boundary of digital security. That is, they understand the significance of things they do or don’t do and how their actions impact the digital security of the organization.
The need for continuing education and training for digital security and technology professionals is well understood by most organizations. Many certification programs require ongoing training and/or continuing education to maintain the certification. Education and training funding or reimbursement are often part of an employee’s compensation package.
But what type of training and continuing education does your boss receive? Or his boss? Or your executive management? Who is teaching digital security up the ranks in your organization? Who is responsible for reporting on the status of your digital security efforts to your executive management?
Maybe it’s you.
There are several techniques for more effective communications that you can practice in order to improve your chances of helping your management understand the needs of your digital security program, make the right investments in personnel, training, and technology, and hopefully will motivate them to become better educated themselves on the overall strategy of digital security.
Digital security is a moving target because the technology involved is changing so quickly. There is a continuous and ongoing need for training on the latest technologies, trends, and digital security solutions. But there is also a need for more management and executives to gain a deeper understanding of the strategic goals of digital security and how to apply them most efficiently to their organization.