Cyber is about culture not tech
Security culture: It's not the technology stupid - cyber resilience requires a broader response
Until boards of directors are grappling directly with cyber security rather than passing it off to technology departments, companies will struggle to attain any comfort on cyber issues.
Cyber security is less about technology than it is about culture, and the only way effective cultural programs get implemented is directly from the top.
This is not straight forward. Boards and senior executives will often confuse ‘awareness’ with culture, according to The Security Artist CEO Andrew Bycroft.
Although cyber security awareness campaigns across an organisation can be an important part of the cyber strategy, ‘awareness’ does not change behaviour. That is a cultural issue, and requires a deeper change management response with a new top-down and organisation-wide governance model.
The other common pitfall that organisations make in relation to cyber security – and it’s an expensive one – is that once they have carried an ‘awareness’ campaign and are satisfied everyone in the organisation understands what the problem is, they hand responsibility to the IT department.
“The cyber security industry is not really getting to the root cause of the issue because it is still viewed as a technology problem, and it’s not,” Mr Bycroft said. “It is a cultural issue.”
“You can’t just throw technology at it. And that’s what IT departments do – they throw more technology at it,” he said.
Mr Bycroft has been active in the cyber security sector for 20 years, and founded The Security Artist as a third-party strategic consulting house on organisational security four-and-a-half years ago. He is a technologist, but who places the weight of advice on cyber issues on a new governance structure.
He says the focus of companies should be in building cyber resilience, rather than simply on the notion of cyber security. This requires a move beyond the technology.
“We simply need to recognise that technology alone cannot solve this,” Mr Bycroft said.
Mr Bycroft is a speaker at the InnovationAus.com Cyber Security – The Leadership Imperative event being held in Sydney on May 3. He is the author of the book “The Cyber Intelligent Executive,” and a co-author of the upcoming book “Adapt or Die.”
When the belief is that the IT department will ‘solve’ the cyber security problem, it conjures thoughts that technology must be the answer. The focus of IT is on threat management. And while preventing threats makes sense – in the same way doctors say prevention is better than cure – the problems arise when that prevention fails.
And if we know anything about the cyber threat environment, it is that it is fast-moving, sophisticated, well-funded and motivated. Meaning that even the best protected systems have a propensity to fail.
Mr Bycroft says that because the IT cohort is so heavily invested in threat management that is failing, they have no capacity or means to respond and recover in the event of failure.
And that’s where a more effective focus on resilience makes more sense. This requires a much broader set of strategic plans.
“The aim of any organisation should be cyber resilience,” Mr Bycroft said.
“This requires six practices: asset management; vulnerability management; threat management; incident management; continuity management; and crisis management,” he said.
“Security awareness is not enough; and even when it is delivered it is often delivered in ways which do not have the desired impact and often delivered to satisfy compliance requirements,” he said.
“Security awareness should be an interactive component of building a culture, and to build a culture it must begin at the top with the directors.”
The Security Artist has partnered with InnovationAus.com as a sponsor of the Cyber Security – The Leadership Imperative 2017 forum