From boards to front line staff, humans aren’t always great at handling risk. The mind measures threats on both intuitive and rational pathways, and sometimes the messages they send conflict.
Where cyber is concerned it’s the intuitive side that often wins out. Surrounded each day by systems, screens, devices and data, for many people computing is just part of the background. It’s hard to sustain risk awareness when the sources of risk seem so mundane.
That sense of cyber-apathy is becoming an issue for security leaders. As technology becomes ever more integrated with life and work, it becomes more like a utility – necessary and ever-present, but less and less visible.
And therein lies the danger. If end-users and executives see security as too removed from their day-to-day lives to take it seriously, the insider threat can’t help but be magnified.
That puts CISOs under even more pressure to stop the companies they work for from sleepwalking into a breach. Cyber defenses have to be able to stop outside attacks and mitigate the impact of inside acts of negligence – especially around device security and BYOD policies. It’s a pretty big ask.
It also begs the question: ‘when a breach does occur, who’s really to blame?’ While boards are right to expect CISOs to secure the business, they need to invest equally in making sure employees sustain awareness of cyber risk, and do everything in their power to minimize it.
Technology advances – and worries
We use and rely on technology more than ever before, but what concerns me is how difficult it is to have visibility and control of the security implications this presents. For security professionals like us, there is the risk of alert fatigue, while for the general population, it’s more of a worry around awareness. You can’t fight what you don’t know.
Cyber’s role in the organization
From a corporate perspective, good data protection and security should play a central role and be intrinsically linked to every single thing we do. At the C-Suite level security should have a position at the board table. We often say, “Put security on the agenda before it becomes the agenda”, but all too often in large organizations it’s very much seen as the by-product of IT, so gets defined as a purely technical issue.
Securing the cloud – and everything attached
When I speak to cyber criminals and hackers, as I do on occasion, I ask them if they’re attacking the cloud. It turns out that it’s not the cloud that they’re trying to breach, it’s the vault. It’s far easier to find a way into the devices that are attached to cloud systems – the smart devices and gadgets you and I carry with us each and every day. That’s where the vulnerability lies, and given the proliferation of personal devices linked to company networks, it’s a serious concern.
Cyber’s role in supporting innovation
Developing new services and digital business models implies a level of risk, both the normal business risks around any new venture but also a security risk where data is concerned. Having a good level of cyber security and being able to demonstrate that you value and protect people’s data – that you respect their privacy and are careful in how you use their personal and business information – is essential. In that sense, strong cyber security can be a differentiator that supports innovation and helps establish trust.
View the full interview with Gary as part of our Security Begins Here series.