How “Security Culture” Affects an Organisation’s Risk of a Potential Breach
Over the last 2 years announcements by Marriott, British airways, Travelex and now EasyJet on how their systems were compromised and breached by nefarious actors this must now have every business large, small or enterprise thinking about its current security levels and how to improve. In reality, the board will be asking the CISO “could this happen to us?”
For business, a normal security defence would be quickly applying software patches and using technologies to block or identify malware infections in a blanket format access the IT estate which in its own is not enough.
Despite how many resources you consume in an attempt to keep malware and other threats out. This can be undone by a breach
- where the vulnerability is exploited before it can be patched once a vulnerability is announced it is normally weaponised within days. The normal monthly patching cycle is far too long, even when running basic vulnerability scanners a business with hundreds of servers will be facing tens of thousands of vulnerabilities and the critical systems and vulnerabilities will get lost in the noise.
- Or as soon as an unsuspecting user clicks on a malicious link or falls for a phishing attack, which would normally utilise the latest vulnerability which has no patch released often called a “Zero Day” to subvert the user’s devices giving the attacker a foothold in the business IT estate.
“hackers do not cause breaches, people do,”
Frank Abagnale
These or any one of a multitude of other ways attackers can enter a business IT estate and don’t forget about your third parties who support your systems.
As we saw with Marriott, British Airways and Travelex failing to rapidly react at the initial breach can cost the entire business dearly.
What is the difference between the most secure businesses and the rest? They are the ones that make cybersecurity a part of their overall culture, security is a process and its business problem, and it’s not isolated to the IT dept.
The businesses run by leaders and corporate board members with advanced “security maturity” are focusing on breach prevention, intrusion detection, threat intelligence and installing a security culture aware workforce. Most likely they will be taking a data-centric view rather than a system-based view spending money and resources on protection of their critical data.
They are constantly testing their own people and systems for weaknesses, and regularly drilling their breach response preparedness with scheduled desktop and wargaming incidents. These businesses are also coming up with inventive ways to reduce the amount of sensitive data that they store even to the extent of rendering the data valueless if taken outside the businesses control or visibility.
But the “security maturity” level does not just show what businesses are lacking. It can serve as a very basic roadmap for businesses that wish to change.
Businesses that are able to improve security maturity have a leadership that is both invested and interested in making security a fundamental priority.
The key to success is influencing leadership to make security a priority before the organization falls victim to a breach at which time it is too late.
The levels below outline how the corporate mindset and the perceived importance of security at the executive level affects a business’s priorities when it comes to taking effective measures to manage cyber risks and threats.
“True Cyber Security is preparing for what is next, not what was last”
Neil Rerup
With no senior management buy into security, it will be the bare minimum, security needs to be driven from the top they are the ones who provide the budget and resources to implement change.
What is the “security maturity” level of your business?
Level 1: Non existent
- Focused on prevention in a reactive way, breach detection notification most likely come from customers or the media.
- Security will be viewed as an IT problem.
- No formal security policy,
- No CISO, responsibility for security will be Head of IT or IT Manager.
- No dedicated security personnel.
- No security budget will be absorbed in the IT budget.
- Basic perimeter controls based on point solutions driven by cost and necessity rather than integration.
Level 2: Compliance Focus
- Investments driven by mandates.
- Checkbox attitude to meet the latest regulation such as GDPR, PCI etc.
- Ad hoc processes with a written policy
- Minimal reporting to executives, based upon checkbox.
- Security although having no budget is
- Basic Monitoring technologies implemented.
Level 3: Awareness
- Building a security ecosystem for detection and response with tools that are beginning to integrate and complement each other.
- Security is integrated into the business.
- Although security might still be part of the IT budget it is accounted for and measured separately.
- The security team has more autonomy from IT, CISO most likely a peer of CIO and working outside of IT dept.
- Some form of automation with pro-active controls.
- Formal policies and processes, which the users are aware and trained upon.
- incident response tabletop tested predominantly will be IT driven
Level 4: Change
- Having a security ecosystem with the ability to proactivity respond to threats response with tools that integrate and complement each other
- CISO reports to C level board member, executive support.
- Security is accounted for in a separate budget
- High levels of automation and integration.
- The Business has a dedicated security team.
- Proactive threat detection both internal and external, users and staff are made aware.
- Policies and process are fully documented, whole bsio9nes is aware and educated on security.
- Incident response which is regularly tested and with established countermeasures.
Level 5: Metrics
- Capable of withstanding and defending against even most extreme attacks, being cyber resilient.
- CISO reports to CEO/Board, most likely a regular attendee at board meetings.
- Security policy fully integrated with corporate governance.
- Cybersecurity part of the culture, users, and staff aware and ensure security is considered and used as part of their job, possibly financial motivation such as part of their bonus.
- A robust incident response which included the whole business, and which is regularly tested.
- Having a security ecosystem with the ability to proactivity respond to threats response with tools that integrate and complement each other which produces meaningful metrics
Level 5 is where a high level of security maturity has been achieved and the business can defend against and withstanding even the most extreme attacks.
Generally, the CISO has a place on the board, reporting directly to the CEO or even the audit committee so that security risks are considered alongside all the other risks that the business faces and a culture of security that is driven throughout the workforce.
Risk needs to be articulated in a way the board understand and simply put, how a security risk will impact the business bottom line.
To get to this level there are several things that businesses need to do.
- They need to invest in capabilities that cut right across the threat detection and response lifecycle, backed up by strong capabilities in terms of Security Intelligence.
- Sufficient budget is allocated to security and that the entire program is overseen by an executive with the responsibility to bridge the traditional security communications gap between security practitioners and those in charge of the purse strings.
- Sufficient dedicated security resources, security can come to be viewed as a bus9iness enabler, rather than the “Project Prevention Department”, and a culture of security can be driven throughout the whole workforce.