By Darren Argyle, Group Chief Information Security Officer, Qantas
Cybersecurity is moving from having purely technical relevance to increasingly societal relevance, affecting the way we live our lives and honour our obligations. Business leaders must respond by engaging cybersecurity specialists who understand psychology, sociology and criminology aspects, but also know how to leverage technological innovation that can scale to meet the challenges head on. This expanded viewpoint feels natural for those of us who have been in the cybersecurity industry long enough and have the relevant experience to know that building a risk aware culture is a priority.
At the heart of most corporate cyber crisis lie the risks involved in managing people. After a host of scandals during the present century, companies recognize that policies and procedures count for very little if they ignore the human element. Efforts to tackle the matter are being made, yet major breaches keep happening. Credit-checking group Equifax this year blamed “human error and technology failure” for one of the largest data breaches in history, affecting more than 145 million people in the U.S. alone. Poor communication of risk and execution at the people level was the suggested cause.
“People risk” can range from deliberate acts of fraud or sabotage to failure to follow rules, poor training, strategic miscalculations or someone opening a virus-infected email. Globalization and technological changes add complexity to the risks companies face and the speed with which problems can escalate. The effects of poor human risk management can be long-lasting, costing millions of dollars in clean up activity, heavy fines, and lost customer trust. A culture of hiding mistakes, compounded by human weaknesses in understanding the basic cyber security principles can often be the root cause.
The purpose of cyber risk management, however, is to allow risk to be taken safely; innovation depends on risk. On the whole, financial firms are getting better at managing cyber risk; they have more money to throw at the challenge, or because they have been regulated to do it. They have deployed safeguards, such as enterprise risk management (ERM) systems, and Governance Risk and Compliance (GRC) platforms, however, these create a false sense of security because they are not directly engaging with employees on a regular basis to manage human risk. The outcome of great human risk management is the success and resilience of the business. Available research suggests there are five principles needed to achieve business resilience: 1) the ability to anticipate problems; 2) adequate resources to respond to changing conditions; 3) a free flow of information up to board level; 4) the capacity to respond quickly to an incident; and 5) a willingness to learn from the experience.
CEOs and business leaders still need to set the tone at the top, define the corporate culture and standards of behavior, but it’s the CISO and their security teams who need to build trust among employees. Employee relationships with the cyber security teams can become more detached if we simply rely on legacy outdated methods of education and awareness. It’s important to understand how to improve decision-making, to identify vulnerabilities, remain in compliance and reduce unsafe behaviours; by bringing together quantitative tools of risk management with a qualitative psychological perspective, to build a risk aware culture.
The human risk factor and increasingly societal relevance of cybersecurity means we must go beyond simple tick box exercises and not assume our people are engaged because they passed an annual test or didn’t click a phishing simulation link. It’s undeniable that organizations need to lift their cybersecurity culture game to address the elephant in cyber security’s room – the “human factor.” Organizations can do a better job by calling data sources together they already have, using a scalable technology platform solution to deliver tangible rewards from improvements in human risk management. Stop looking at your people as the weakest link, engage with them often, build trust and empower them to become the strongest link, because without people….your proccesses, your technology simply won’t work!
Let me know your thoughts, please comment and/or direct message me here to continue the conversation. Happy to discuss how I’ve applied human risk management strategies to build a more cyber resilient business, and by using an innovative scalable technology platform and how I’ve been able to accelerate human risk reduction and build a sustainable risk aware culture.
This post appeared as a LinkedIn post by Darren Argyle and is published with his permission.
