Blog

SANS has recently published its annual security awareness report (click on the link for a copy). Key is the concept of ‘security awareness’, which when combined with their Security Awareness Maturity Model provides a pathway to improved cyber security by managing the organizations cyber security culture.

Sound familiar? It should as that has been my message for years and is integral to my approach and courses. All the cyber security technology is worthless if the organizations cyber security culture is dysfunctional, or in SANS terms poor security awareness. I have worked for years with Social Operating Systems Ltd., a pioneer in culture management and measurement, to develop, refine and adapt the culture measurement and management concepts to the cyber security environment. One tool you might be interested in is my survey that allows a quick assessment of the inherent support provided by your organizations cyber security culture. To try it out click on the following link Culture Canary Survey. If you would like more information regarding cyber security culture click on the following link Cyber Security Culture Management.

It might be helpful to make sure we all understand the terms.

• ‘Culture’ - core values that are held in common across the organization.
• ‘Cyber Security’ is the protection of the organizations cyber ecosystem. Physically, technologically and behaviorally through facilities, training, communication, technologies, standards, policies and procedures that are implemented, updated and monitored on a regular basis.

Further I created a simple self-assessment in hopes that it will cause you to consider the impact that your organizations corporate cyber security culture has on your efforts to address your cyber threats and exposures.

It consists of a simple matrix of 10 different aspects of cyber security culture each having six different descriptions of how an organization addresses the aspect. It will be obvious that the descriptors range from outright hostility to cyber security to embracing it totally. Your choices will determine just how supportive your organizations cyber security culture is to your efforts. The simple scoring table provides a summary assessment. What is important is not to get the ‘right’ answer but to pick the one that best describes your organization. Only in that way can you get value from this assessment.  It is pictured below.

If you find it of interest and would like to pursue the implications further I have included the following link that if clicked will download the Cyber Security Culture Barometer. . 

Background

Today the pace of change in malicious cyber events is accelerating. In the past the risks were mainly in someone gaining access to valuable information such as proprietary company information, financial records, customer credit card data, and similar information and then using the information for gain. I am now seeing a rise in harming the ability of an organization, or an individual, to function by disabling key operations, and sometimes demanding a ransom payment to return it to normal. Additionally there is a rise in malicious exposures to harm a company’s repute.

It seems every day a new cyber threat arises, which leads to a great deal of activity to determine how to react to it. This is a strategic mistake. Focusing solely on cyber threats is a losing proposition as there will always be a new cyber threat to deal with, it is technologies version of cyber ‘wack-a-mole’. You need to stop playing cyber wack-a-mole and begin to take the offensive against the predators that infest the cyber eco-system we all inhabit.

What you need to do is to identify and manage your cyber exposures so you are not always playing catchup. That is not to say you should ignore cyber threats. You need to deal with ones that are prevalent in your cyber eco-system. Rather, you need to also, if you want to get ahead of cyber threats, identify and deal with your organizations cyber exposures. By ‘cyber exposures’ I mean the vulnerabilities that arise from inhabiting the cyber eco-system. Realize that these vulnerabilities are not just technical but rather are rooted in human behavior, legal and compliance matters, use of social media, the cloud and the Internet of Things (IoT).

A key in improving the likelihood of success in addressing the many cyber exposures your organization faces is understanding the mindset of the members of your organization – the cyber security culture. This can be done by examining attitudes towards cyber exposure, responsibilities towards cyber security, and awareness of the cyber threats in general. In other words how does your organization view cyber security? Is it only a technical concern? Not a real problem? An annoyance to be circumvented? The answers to these and similar questions will go a long way towards understanding the approach you will need to improve your organizations cyber defenses. If your culture treats cyber security poorly then your organization is more likely to undermine your efforts and experience a cyber event.

Observations

The SANS paper provides an understanding of what successful security awareness programs are doing right. This is helpful information, however, it is only part of the story. As I mentioned previously one needs sound technical defenses with supporting policies and procedures supplemented by identifying and managing all your cyber exposures with a supportive cyber security culture. Missing any of these key elements will leave your organzation vulnerable to cyber predators. The Graphic below summarizes these three elements and their interlocking dependencies.

I do not think one can depend on security awareness alone. It is necessary, albeit I believe it should be called cyber security culture, but not sufficient for cyber security.

One other point is it mentions the need for metrics but it does not provide examples of measures or how to create them. If you take my course on Advanced Cyber Exposure Management at the Global Risk Academy you will learn how to do so.

I also think more attention needs to be paid to areas that are experiencing rapid growth and are providing the cyber predators with new targets of opportunity. Specifically the Internet of Things (IoT), cloud computing, and social media.  

Next Steps to Consider

I suggest you digest the SANS report and then consider taking our courses at the Global Risk Academy

I assume you have a cyber security program in place. If you do not have an existing cyber security program stop reading and develop and implement such a program. For such a cyber security program I strongly recommend you make sure your program includes the following:

• Written cyber security policies and regulations that you publish and distribute to all employees, vendors and contractors.
• Education regarding your cyber security policies and regulations that is required of all members of your organization, including senior executives, vendors and contractors. 
• Making sure all default settings and vendor supplied passwords have been changed from those initially supplied. 
• Sensitive information[1] that you handle, process or store is identified, responsible party identified, protected by encryption and access controls? Are they monitored?
• Backup copies for all organizational data, especially sensitive data, made on a regular basis with off-site, secured storage.
• Do your disaster recovery/business continuity plans (DR/BCP) include sections covering your cyber eco system, its many components, it recovery and continuing operation should an unforeseen event occur.
• Your normal operating procedures should include change management and configuration management processes. The detail documentation should include who is responsible and how that individual will be monitored and managed.
• Firewalls that cover outbound transmissions as well as inbound.
• Wiping clean all devices and materials disposed of. This includes copiers, printers, cell phone, other intelligent devices as well as the usual hard drives, pc’s and laptops.
• Both physical and electronic intrusion detection and monitoring.
• BYOD policies and procedures

This list is not meant to be exhaustive, rather indicative of the details that existing cyber security plans should include. To assure a high level of confidence in your cyber security plans and programs I recommend you have an outside expert conduct a review to uncover any deficiencies.

I hear a great deal about rising cyber threats. It seems every day a new cyber threat arises, which leads to a great deal of activity to determine how to react to it. This is a strategic mistake. Focusing solely on cyber threats is a losing proposition as there will always be a new cyber threat to deal with, it is technologies version of cyber ‘wack-a-mole’. You need to stop playing cyber wack-a-mole and begin to take the offensive against the predators that infest the cyber eco-system we all inhabit.

Instead what you need to do is to identify and manage your cyber exposures so you are not always playing catchup. That is not to say you should ignore cyber threats. You need to deal with ones that are prevalent in your cyber eco-system. If you want to get ahead of cyber threats, identify and deal with your organizations cyber exposures. By ‘cyber exposures’ I mean the vulnerabilities that arise from inhabiting the cyber eco-system. You need not be doing anything exotic or leading edge just use computers, smart devices, networks and the Internet and you are in a cyber eco-system that has predators hunting for vulnerabilities. Realize that these vulnerabilities are not just technical but rather are rooted in human behavior, legal and compliance matters, use of social media, the cloud and the Internet of Things (IoT).

You need to identify as near as possible all your cyber exposures. You need to know if you have major cyber exposures and so that you can begin to prioritize and address them. If you are not aware of all your cyber exposures then you will be defending your organization from the known threats while leaving major access paths into your organization for predators to exploit. And the predators  are like most people, they will go for the easy prey.

To accomplish this you need to understand how to identify your cyber exposures and then understand how best to manage those that you have found. I suggest that to do this, if you do not have the current knowledge and ability, you should consider my definitive course bundle, ‘The Definitive Guide to Cyber Exposure Management ’ available at the Global Risk Academy.

Final Thoughts

SANS calls it ‘Security Awareness’ I call it ‘Cyber Security Culture Management’ whatever you call it make sure you do it. Or you will increase the likelihood that you will suffer a malicious cyber event

In summary: cyber security culture matters and cyber security culture can be managed.