CISO Says... We need Top Management Awareness!

Nixu Blog

August 16, 2021 at 09:00

Awareness training in cybersecurity is often the equivalent of telling road users to be careful: a good idea, but has limited impact if not supported by a number of other measures.

On the road, we have rules: drive on the right side of the road, follow the speed limits, etc. Next, we have infrastructure to support safe behaviour, like traffic lights, pedestrian crossings, and guardrails. Finally, we have traffic laws, enforced by the police.

We understand and agree that these measures are needed to support safe use of the roads. In cybersecurity we need something similar. I call it Top Management Awareness.

Nixu CISO Says Worth the Risk

The standard way of addressing cybersecurity in your company is to organize it in accordance with the ISO27001. This standard makes it very clear top management is accountable for a functioning Information Security Management System.

Top management should be aware of this accountability and its implications. Similar to road users, management needs to provide rules, infrastructure, enforcement etc. This is not always the case. In my experience this lack of awareness is due to two reasons [1]:

  1. Optimism bias

    The risk is perceived lower than it is. Many security problems arise from technical problems, which are hard to explain to non-IT educated people. The perception is that the misuse of these technical imperfections is so hard that the likelihood of accidents or attacks is very low. The idea that the company is an unlikely target is also common and persistent. It leads to the cybersecurity needs are exaggerated by the specialists and that the topic does not actually need much management attention.

  2. Fatalistic thinking
    The ISO27001 includes 114 controls. The NIST SP800-53, which is more detailed, contains 965 controls.
    When you take just a superficial look at these numbers, it is easy to surrender to fatalistic thinking: cybersecurity is too hard to implement. This can lead to a passive attitude: it is impossible to achieve a sufficient level of security so why spend a lot of time and resource trying?

The quickest way of creating awareness at the top of an organization is a cybersecurity disaster. It immediately removes the optimism bias. First there is just a risk, which is perceived very low. Once the risk is realized and something happens, the damage becomes tangible. Not only the company is damaged, but also personal and professional reputations. When the press is knocking on your door, it is the CFO who needs to explain the situation, not the security manager.

The smarter way is to perform a realistic quantitative risk analysis [2]. This method will make the risk more tangible and at the same time more actionable, because the effects of adding extra controls can be made visible. Quantitative risk analysis gives management control of the level of risk they are willing to take and removes the ground for fatalistic thinking.

Once top management understands the need to act and have the means to act, we gained true top management awareness. If you are curious on how to take the first steps in building this awareness, have a look at our recent blogs on the topics of risk assessment and identifying potential cyber threats:

Cyber Risk Assessment

What Cyber Threats Can Companies Face, and How to Identify Them?

Sources:
[1] See also: https://www.infosecurity-magazine.com/next-gen-infosec/biases-perceptions-threats/
[2] https://www.nixu.com/search?saf=ciso+says+lies

Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.

Related blogs