Awareness training in cybersecurity is often the equivalent of telling road users to be careful. It is a good idea, but it will have limited impact. On the road, we have rules such as please keep driving on the right, give space to people coming from the right and do not go faster than 50 km/h. Next to that, we have infrastructure to support the safe usage, like traffic lights, pedestrian crossings, and guardrails. And finally, we have legislation and enforcement by the police. Our society is aware off the fact these measures are all necessities to support safe road usage. In cybersecurity we need this as well. I call it Top Management Awareness.
The standard way of addressing cybersecurity in your company is to organize it in accordance with the ISO27001. This standard makes it very clear top management is accountable for a proper functioning Information Security Management System. Top management should be aware of this accountability and should be aware of the implications. Similar to road users, top management needs to provide rules, infrastructure, enforcement etcetera. This is not always the case.
In my experience this lack of awareness is due to two reasons :
The risk is perceived lower than it is. Many security problems arise from technical problems, which are hard to explain to non-IT educated people. It is perceived to be so hard to misuse these technical imperfections that chances someone will misuse them is very low. Next to the idea that the company is an unlikely target is persisting. It leads to the idea cybersecurity is exaggerated by the specialists and does not need much management attention.
- Fatalistic thinking
Cybersecurity is too hard to implement. The ISO27001 includes 114 controls. The NIST SP800-53, which is more detailed, contains 965 controls. Fatalistic thinking refers to the belief it is impossible to achieve a sufficient level of security.
The quickest way of creating awareness at the top of an organisation is a cybersecurity disaster. It immediately removes the optimism bias. The meme that circulated on Twitter a few weeks ago sums it up very well. Before the fact it is just a risk, which is perceived very low. After the event there is tangible damage. Not only the company is damaged, but personal reputation is also damaged. When the press is knocking on your door it is the CFO that needs to explain the situation, not the security manager.
The smarter way is to perform a realistic quantitative risk analysis . This method will make the risk more tangible. It makes the risk more actionable, because the effects of adding extra controls can be made visible. Quantitative risk analysis gives management control of the level of risk they are willing to take and removes the ground for fatalistic thinking. Once top management understands the need to act and have the means to act, we gained true top management awareness.
Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.