The Cyber Compliance Imperative: Bringing Employees Together with Technology (Part III of IV)
It is easy to get lost in the technology world of cyber security – the information technology business relies on lots of acronyms, techno-speak and function-specific terminology. In responding to a cyber and data security risk profile, laypersons expect to hear a lot about technology-driven solutions. In fact, a lot of time is spent reviewing, assessing and selecting specific solutions to incorporate into an overall security framework.
Chief Information Security Officers that rely on these solutions, without addressing the human element, are missing the most important ingredient to any cyber compliance program. Just to state another profound grasp of the obvious – humans/employees are responsible for executing business functions and ultimately, a cyber compliance program has to incorporate strong human focused controls.
This sounds like a lot of mumbo jumbo. Let me try and boil this down. Humans have to design and implement cyber-focused controls. Humans have to communicate about these controls to ensure that everyone follows the specific protocols. Cybersecurity professionals have demonstrated strong interpersonal skills, even though they operate in a highly technical field.
The success of a cybersecurity compliance program depends on people. To the extent the security capabilities and functions incorporate the human “element,” the greater the chance for success. In the end, people drive security success and long-term performance.
The design of a security system has to elevate employee performance by educating employees in understanding security controls, identifying potential anomalies, responding appropriately to potential threats and operating in accordance with existing controls. Security controls may look good on paper but it is how they are implemented and followed in the real world that determines the overall efficacy of the security risk management program.
Employees have to understand more than just security awareness; in fact, they need to understand the security controls, the purpose behind the controls, and the way to implement and follow such controls. CISOs should always examine past cybersecurity events to look for root causes, control efficacy and employee conduct.
Cybersecurity leaders tend to focus on technology solutions without proper consideration of the human element – as an initial step, CISOs need to manage technology and human talent to maximize both capabilities – technological and interpersonal skills. One key source may be an internal technology team from which talented individuals could be identified for career development programs.
As cybersecurity and technology grow in importance within an organization, more employees will perform technology functions as part of their respective jobs. Cybersecurity has to be built around how a company works – meaning cyber security controls have to be tailored to the organization’s work flow and human organization.
With such an integrated approach, CISOs can then develop effective assessment practices to understand their threat exposure and on continuous basis. This is a key requirement for companies so that they can make effective security investments. In this area, CISOs have to use cybersecurity validation to examine how techniques, processes and tools can be used to validate how potential hackers can exploit a specific threat. By bringing together a robust validation protocol, CISOs can implement repeatable assessments, develop benchmarks and respond with appropriate security controls. Most companies are moving toward cybersecurity platforms, just like other risk management tools, to consolidate cybersecurity functions such as governance, privileged access and other access management functions.
A key component of any cybersecurity compliance program is board engagement and oversight. All too often, corporate boards fail to engage and learn about cybersecurity, and instead defer in large part to CISOs. By avoiding the learning curve, boards put their companies at risk by creating additional risks from board oversight and monitoring failures. More boards are bringing on board members with cybersecurity expertise. This is a welcome development.