Cyber security programs and organizations are often built around cyber security tools - SIEM software, networking management tools, IAM tools, key management tools, authentication tools - there is no lack of tooling available.
But what usually comes last in funding and execution? People. And what is almost always the weakest link in security? People. Why do cyber security programs rely so heavily on security tools rather than address the critical weakness and build a culture of security?
There are a few potential reasons. First, it is difficult to get management to commit to training and hiring additional resources, even though training and resources are recognized as the foundation of a believable cyber security program. The difficulty is in quantifying the benefits of training and resources and measuring the effectiveness of additional resources or training programs.
Here is an example of how discussions about funding for cybersecurity resourcing and training often goes:
Cold-hearted Purse String Holder:
Will providing more funding for additional resources and security awareness training result in better security?
Cybersecurity Beggar:
Well, we know training improves overall security, and additional resources could improve our security profile, but we don’t know by how much.
Cold-hearted Purse String Holder:
Hmmm… how about we hire an intern and provide training that meets the minimum security framework requirements?
Cybersecurity Beggar:
Sigh… OK, we will do our best. See you next year.
Second, business justification for security tools is easier because tools have KPIs (Key Performance Indicators) and results can be quantified and shown in graphs or heat maps in colorful powerpoint presentations. And vendors of security tools have marketing departments that are adept at providing reasons for why you absolutely must buy their excellent tool. The funding conversation is quite a bit different when discussing funding for a new cyber security tool:
Cold-hearted Purse String Holder:
Will this new tool improve the effectiveness of our security?
Cyber Security Beggar:
Yes. Effectiveness of cyber security will improve by 80%. Here is a powerpoint presentation that proves it. We got the presentation from the vendor.
Cold-hearted Purse String Holder:
Excellent! No further questions. Funding granted.
Cyber Security Beggar:
Thank you, oh lord of the purse strings.
Making the case for security training and additional cyber security resources in a funding situation can be eased by linking specific projects or risks to the funding request(s). Showing business value is the key to funding in any organization, but it is critical for cyber security.
Third, security training – as with most training – is viewed as something you must do to meet a corporate policy requirement or as a requirement to comply with a regulatory or a security framework requirement; PCI DSS, ISO, NIST, SOC and other frameworks all have a tick box for security training. This “you have to do this” mentality makes security training like a parent-child discussion about eating vegetables because they are good for you.
We know from breach data that most security incidents occur because of people. Establishing and encouraging a culture of security should be the objective of any cyber security program. Security training provides the foundation for a culture of security.
Security tools are an essential component of a believable cyber security program, but tools won’t create a culture of security. Indeed, tools are often used to create a feeling that the organization is protected or even invincible. In such an environment, people let down their guard and allow bad actors to take advantage of security vulnerabilities.
Instead of focusing on tools, focus on building a security culture.
How do you know if you have a strong security culture? Think of ADEO:
Awareness:
Have developers completed training that includes the OWASP 10?
Have employees completed security awareness training?
Defensive:
From your last security risk assessment, have critical and high risks been assigned ownership and been either fixed or remediated?
Is there an incident response plan and has it been tested?
Is there a business continuity plan and has it been tested?
Engagement:
Is there a cybersecurity-business liaison assigned to provide business within the organization a one-stop place to engage cybersecurity?
Do projects engage cyber security to identify security risks?
Does the CISO report to upper management and are they able to bring issues directly to the Board of Directors or CEO?
On-going:
Is the funding for the cyber security program and cyber security training appropriate compared to peer companies?
Is upper management engaged regularly in cybersecurity?
Is the CISO actively involved in education of upper management on cyber security risks?
You know you have a culture of security when security awareness training and resource development are considered to be “business as usual” in projects and day-to-day operations.
3Factor can help you build a believable cyber security programme that will move your business toward a culture of security. Contact 3Factor to discuss cyber security risks and how to manage them.