Businesses make various key decisions daily, and it’s up to the CEO to provide their seal of approval for each one. When it comes to security, they often like to delegate someone from the IT department to take care of it, but that should not be the case. CEOs need to play a more active leadership role in the governance and culture of cybersecurity.
Dr. Mansur Hasib, a noted cybersecurity expert and the author of two books on the subject, spoke to IT in Canada about why CEO involvement in security-related decisions is crucial, and the importance of adopting a proper cybersecurity strategy and developing a culture around it.
IT in Canada: Cybersecurity discussions begin with the development of a strategy. Why is it important for enterprises to have a proper cybersecurity strategy in place?
Hasib: The strategy and leadership of any effort really defines the tone for the whole organization. It also ensures that the leadership embraces that effort as their role. Part of the problem in the industry has been that most CEOs have not really embraced cybersecurity as their responsibility.
I’ve been hearing a lot of reports that say that boards are going to make CEOs responsible, and without that strategy coming from the CEO, nothing is ever going to work. Humans make decisions, and technology does not (develop) strategies; that’s the key. That’s why I have been personally focusing on the human and leadership elements.
ITIC: How does leadership factor into a cybersecurity strategy?
MH: Leadership engages people. The key thing about cybersecurity is that it is not an individual effort. If you have a 1,000 member organization and all 1,000 members handle data, use technology and use systems, you essentially have to engage all those people into this cybersecurity strategy (and) the continuous improvement process. This is because each person handling the data really knows how to improve it and how to find flaws in the way that data is handled. Therefore, that engagement has to come through leadership, as without leadership, it won’t be embraced.
The other thing is that leadership also means the fostering and the cultivation of other leaders. For example, if you have an organization with one leader and 1,000 followers, you will only get one decision throughout the organization at any given time. However, if you have a 1,000 member organization where the leadership has cultivated 1,000 leaders, now you’re going to have 1,000 decisions being made simultaneously. It is much better for innovation, risk handling and productivity, and you don’t have failure.
ITIC: Why is governance important to cybersecurity?
MH: You have to have rules within the organization; you cannot have a free-for-all kind of leadership. Governance defines the limits within each person is authorized to make decisions, and it helps them to understand their scope.
Think about it like having different position players on a baseball team. The first baseman should know his or her responsibilities are, similar to the third baseman. Each position player has to know the limits of their decisions. They should have practiced to know each other’s range, and the
governance defines that range.
Governance can also build culture for an organization. Both leadership and governance combine to build the culture of an organization, and culture defines behaviour more than anything else.
ITIC: What is the relationship between cybersecurity culture and cybersecurity compliance?
MH: Cybersecurity compliance simply means you check the box. Compliance is a very static picture; you can be compliant today, and yet, someone can exhibit a behavior which now causes a breach for you. Compliance does not govern behavior at all; this is part of the problem.
For example, in the case of Target Canada, (the company) was actually deemed to be compliant weeks before the news hit the streets. We know that compliance does give you any level of cybersecurity, and we have spent billions of dollars pursuing compliance, when, in fact, compliance gives you nothing.
ITIC: What does the future hold for cybersecurity compliance within corporate spheres?
MH: The way it holds is that the compliance must be somehow exhibited in the behaviour. You really need to focus on the results of the compliance rather than on compliance itself. Compliance has a role in developing the culture, (and) the compliance standards can impact how you develop your cybersecurity strategy. But it by itself does not give you cybersecurity.
One of the problems with compliance is that it gives you this artificial sense of security. Just because someone has deemed you compliant, it doesn’t mean that you’re done or are in great shape. Some people breathe a sigh of relief and tout it as something their businesses have accomplished. But without that continuous improvement, they cannot functions.
I would say that the focus needs to be on culture and regular behaviour. People need to understand that compliance only buys you very little, and you need to focus so much on (it). Part of the problem is that some companies spend so much money on the compliance aspects that they have forgotten to implement the real cybersecurity. This is what I found when I was talking to various organizations that are focused on compliance.
The whole compliance effort, along with getting the certification and the authority to operate takes so much (time) that they don’t do anything else.
ITIC: Going forward, will more CEOs take an active role towards cybersecurity?
MH: I do believe that that will happen. I’m seeing that change beginning to happen as these boards get engaged and we start to have more detailed discussions about cybersecurity.
When I last spoke at the Digital Governance Institute’s conference in Washington, D.C., I asked (the audience) about how many of them thought that cybersecurity is a technology issue, and how many thought cybersecurity is a leadership and governance issue. Of the 300 people in the room, no one raised their hands when I asked if it was a technology issue.
All of these people were leaders. There were probably not too many organizational CEOs there, and that’s been part of the problem. Getting CEOs to attend these information sessions has been a challenge, and hopefully, that will improve over time. I know several efforts are in place now, and I know several CEOs themselves are seeking out true cybersecurity strategists to help them understand their role.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…