SANS has recently published its annual security awareness report (click on the link for a copy). Key is the concept of ‘security awareness’, which when combined with their Security Awareness Maturity Model provides a pathway to improved cyber security by managing the organizations cyber security culture.
Sound familiar? It should as that has been my message for years and is integral to my approach and courses. All the cyber security technology is worthless if the organizations cyber security culture is dysfunctional, or in SANS terms poor security awareness. I have worked for years with Social Operating Systems Ltd., a pioneer in culture management and measurement, to develop, refine and adapt the culture measurement and management concepts to the cyber security environment. One tool you might be interested in is my survey that allows a quick assessment of the inherent support provided by your organizations cyber security culture. To try it out click on the following link Culture Canary Survey. If you would like more information regarding cyber security culture click on the following link Cyber Security Culture Management.
It might be helpful to make sure we all understand the terms.
Further I created a simple self-assessment in hopes that it will cause you to consider the impact that your organizations corporate cyber security culture has on your efforts to address your cyber threats and exposures.
It consists of a simple matrix of 10 different aspects of cyber security culture each having six different descriptions of how an organization addresses the aspect. It will be obvious that the descriptors range from outright hostility to cyber security to embracing it totally. Your choices will determine just how supportive your organizations cyber security culture is to your efforts. The simple scoring table provides a summary assessment. What is important is not to get the ‘right’ answer but to pick the one that best describes your organization. Only in that way can you get value from this assessment. It is pictured below.
If you find it of interest and would like to pursue the implications further I have included the following link that if clicked will download the Cyber Security Culture Barometer. .
Today the pace of change in malicious cyber events is accelerating. In the past the risks were mainly in someone gaining access to valuable information such as proprietary company information, financial records, customer credit card data, and similar information and then using the information for gain. I am now seeing a rise in harming the ability of an organization, or an individual, to function by disabling key operations, and sometimes demanding a ransom payment to return it to normal. Additionally there is a rise in malicious exposures to harm a company’s repute.
It seems every day a new cyber threat arises, which leads to a great deal of activity to determine how to react to it. This is a strategic mistake. Focusing solely on cyber threats is a losing proposition as there will always be a new cyber threat to deal with, it is technologies version of cyber ‘wack-a-mole’. You need to stop playing cyber wack-a-mole and begin to take the offensive against the predators that infest the cyber eco-system we all inhabit.
What you need to do is to identify and manage your cyber exposures so you are not always playing catchup. That is not to say you should ignore cyber threats. You need to deal with ones that are prevalent in your cyber eco-system. Rather, you need to also, if you want to get ahead of cyber threats, identify and deal with your organizations cyber exposures. By ‘cyber exposures’ I mean the vulnerabilities that arise from inhabiting the cyber eco-system. Realize that these vulnerabilities are not just technical but rather are rooted in human behavior, legal and compliance matters, use of social media, the cloud and the Internet of Things (IoT).
A key in improving the likelihood of success in addressing the many cyber exposures your organization faces is understanding the mindset of the members of your organization – the cyber security culture. This can be done by examining attitudes towards cyber exposure, responsibilities towards cyber security, and awareness of the cyber threats in general. In other words how does your organization view cyber security? Is it only a technical concern? Not a real problem? An annoyance to be circumvented? The answers to these and similar questions will go a long way towards understanding the approach you will need to improve your organizations cyber defenses. If your culture treats cyber security poorly then your organization is more likely to undermine your efforts and experience a cyber event.
The SANS paper provides an understanding of what successful security awareness programs are doing right. This is helpful information, however, it is only part of the story. As I mentioned previously one needs sound technical defenses with supporting policies and procedures supplemented by identifying and managing all your cyber exposures with a supportive cyber security culture. Missing any of these key elements will leave your organzation vulnerable to cyber predators. The Graphic below summarizes these three elements and their interlocking dependencies.
I do not think one can depend on security awareness alone. It is necessary, albeit I believe it should be called cyber security culture, but not sufficient for cyber security.
One other point is it mentions the need for metrics but it does not provide examples of measures or how to create them. If you take my course on Advanced Cyber Exposure Management at the Global Risk Academy you will learn how to do so.
I also think more attention needs to be paid to areas that are experiencing rapid growth and are providing the cyber predators with new targets of opportunity. Specifically the Internet of Things (IoT), cloud computing, and social media.
I suggest you digest the SANS report and then consider taking our courses at the Global Risk Academy
I assume you have a cyber security program in place. If you do not have an existing cyber security program stop reading and develop and implement such a program. For such a cyber security program I strongly recommend you make sure your program includes the following:
This list is not meant to be exhaustive, rather indicative of the details that existing cyber security plans should include. To assure a high level of confidence in your cyber security plans and programs I recommend you have an outside expert conduct a review to uncover any deficiencies.
I hear a great deal about rising cyber threats. It seems every day a new cyber threat arises, which leads to a great deal of activity to determine how to react to it. This is a strategic mistake. Focusing solely on cyber threats is a losing proposition as there will always be a new cyber threat to deal with, it is technologies version of cyber ‘wack-a-mole’. You need to stop playing cyber wack-a-mole and begin to take the offensive against the predators that infest the cyber eco-system we all inhabit.
Instead what you need to do is to identify and manage your cyber exposures so you are not always playing catchup. That is not to say you should ignore cyber threats. You need to deal with ones that are prevalent in your cyber eco-system. If you want to get ahead of cyber threats, identify and deal with your organizations cyber exposures. By ‘cyber exposures’ I mean the vulnerabilities that arise from inhabiting the cyber eco-system. You need not be doing anything exotic or leading edge just use computers, smart devices, networks and the Internet and you are in a cyber eco-system that has predators hunting for vulnerabilities. Realize that these vulnerabilities are not just technical but rather are rooted in human behavior, legal and compliance matters, use of social media, the cloud and the Internet of Things (IoT).
You need to identify as near as possible all your cyber exposures. You need to know if you have major cyber exposures and so that you can begin to prioritize and address them. If you are not aware of all your cyber exposures then you will be defending your organization from the known threats while leaving major access paths into your organization for predators to exploit. And the predators are like most people, they will go for the easy prey.
To accomplish this you need to understand how to identify your cyber exposures and then understand how best to manage those that you have found. I suggest that to do this, if you do not have the current knowledge and ability, you should consider my definitive course bundle, ‘The Definitive Guide to Cyber Exposure Management ’ available at the Global Risk Academy.
SANS calls it ‘Security Awareness’ I call it ‘Cyber Security Culture Management’ whatever you call it make sure you do it. Or you will increase the likelihood that you will suffer a malicious cyber event
In summary: cyber security culture matters and cyber security culture can be managed.
Here are your options again for studying cyber security and exposures in Global Risk Academy:
Option 1. Understanding Cyber Exposures - For Beginners
Option 2. Advanced Cyber Exposure Management
– Part 1 - Identifying Cyber Exposures
– Part 2 – Cyber Exposure Program Management
Option 3. A Bundle of all 3 courses - 35% off the original price
(most cost effective option)
 Sensitive information includes but is not limited to personal identifiable information, proprietary organizational information, and other sensitive information.