You can spend any amount of money on cybersecurity, but if the organization lacks a strong security culture, your investments will never outpace the risks. Today, the biggest cyber risk influencer is still human conduct. Ignorance, arrogance, wishful thinking, sloppiness or lack of responsibility-taking or communication are to blame for most security breaches! Culture eats security budgets for breakfast.
How do you spot security culture?
What are the indicators of a strong security culture and how do I know if I’ve got one? You cannot just ask “Is our security culture solid?” because the answer to that question, irrespective of the actual situation, will always be “Yes”.
You also will learn little from the size of the security budget or the headcount of the security team. A list of security products deployed is just a list. Absence of incidents tells you little, as may the presence of a few incidents do. Compliance to standards does not equate to security. A cyber insurance is just an insurance.
Whatever hard metric you find, it likely is not conclusive evidence of a good security culture. On the contrary, given the complexity of cybersecurity, any list of hard metrics is bound to be too long to be practically instructive to a board member. You must look for other signals.
How do you spot security culture if you are a member of the board of directors or perhaps on the audit or business resilience committee? Here are the questions you need to be asking.
How is security defined?
Start by asking the person in charge of cybersecurity – often the chief information security officer (CISO) or chief security officer (CSO) – how they define security, how they build a security culture, and how they know whether the culture is strengthening or not. The ideal answer uses no cybersecurity buzzwords and mentions no names of products or security vendors. It is not culture if it does not apply to all employees, so look for signs that security is everybody’s responsibility and that training and education is provided broadly. Transparency and a no-blame attitude are hallmarks of a great security culture, so look for signs of that. Ask them to describe a recent security incident and the actions that were taken.
The key to assessing security culture is in listening to weak signals and looking for indirect indicators. Look for how the organization deals with repetitive and boring security tasks. Observe the speed of action, or lack thereof, when something happens. Study how employees outside of the security team deal with security. Importantly, listen to what is not being actively communicated.
Where does security live?
Ask the security team to explain how their work fits into the overall business goals of the organization. If Security does not see itself as an empowerer of the business, security will not work.
Pay attention to reporting structures. Who does the CISO or CSO report to, and how is that boss goaled and measured? Is security centralized into one team or are there security job titles spread across the organization? Both models are perfectly doable. In a monolithic model, ask how they bring security out to everyone else. In a distributed model, ask how the security leaders communicate and coordinate with each other across organizational boundaries.
A proper security practice is all about listening, discipline, and speed of action. Ask the Security team how they learn about threats, vulnerabilities and incidents, and what actions they take as a result. Ask them if they share information and best practices with industry peers. Ask them how they ensure that every employee has a daily discipline when it comes to matters of security. It also takes discipline to do the preventative work needed. Ask the Security team how it ensures fast action when an incident or other anomaly happens.
What is being ignored?
And, importantly, listen to what is not being communicated from the Security team. If they don’t talk about 3rd party vendor coordination, perhaps they are not doing any? If they don’t talk about phishing, perhaps they are not helping employees avoid phishing attacks. If they don’t talk about vulnerabilities that were found and fixed, perhaps they don’t see it as a priority? The list can be much longer, and it takes a certain domain knowledge to detect what’s missing. As a board member, this is why you should learn the basics of cybersecurity. Such knowledge will help you realize what’s missing in the security posture of the company you are tasked to govern.
What can the budget tell me?
How much should be budgeted for security in order for cyber risk to shrink? When you start having a picture of the security culture of the organization, you can turn your attention to numerical and other metrics. They will make more sense now. You may track the security budget as a percentage of the organization’s overall budget for IT and communications. In most cases, that percentage needs to grow year over year, given the magnitude of the cyber threats in today’s world (and those threats are not going down but up). Look for ways to determine whether the cybersecurity work of the organization is productive. Is the security culture getting stronger, and is cyber risk slowly but surely going down? It is your duty as a board member to ensure that the cybersecurity practice has sufficient funds to strengthen its practice continually.
When an organization’s security culture is sound and the budgets sufficient, cybersecurity can flip from being an anxiety-inducing compulsory activity to a business-enhancing constructive practice. Good deeds should be rewarded and security improvements celebrated. It is not possible to be a market-leading company or a responsible government agency without a properly functioning security practice. It all starts from the security culture, and culture starts from the top. When the security culture is strong, cyber risk will be reduced.