While presenting Verizon’s Payment Security Report, head of Continental Europe Advisory Services GRC/PCI Gabriel Leperlier outlined seven traps that organisations fall into when building their cyber security capabilities.
1. The CISO leaves
It’s never good when a key team member leaves. And the CISO is no exception. They often have an enormous amount of tacit knowledge about systems and risks contained in their heads, as well as the explicit knowledge that has been written down in processes, playbooks and the like. But CISO’s regularly leave, on average after just 26 months.
Why? They are often the fall guy if there is a breach, and get sacked (even if it’s not their fault). Or they might be sacked for being too strict and causing an obstacle to people getting their work done. (If that happens it is almost certainly because they are being told to achieve the impossible.) Or they get poached by another organisation – when it comes to CISOs, supply doesn’t meet demand so there will always be competition for them.
2. The CISO is underqualified
All too often cyber security isn’t seen as a strategic priority. It’s a “have to have” rather than a “want to have”, and so employing a CISO is a box-ticking exercise. As a result they (and the support around them) are under resourced. Low pay will generally mean low skills.
Another problem is the nature of the job description. People who don’t understand cyber security are likely to focus on requiring specific technical skills, without realising that the job is a wide one, needing a range of technology, people and business skills. Insist on recruiting someone who is able to carry out a pen test (rather than someone capable of employing a specialist contractor to do the pen test) and you will probably be employing someone who won’t be able to influence the board – a far more necessary skill.
3. A lack of resource
We are not just talking budgets here, but skills, tools and time. Cyber security needs to be given sufficient priority so that the organisation as a whole supports it. That might mean HR, marketing and finance executives taking time to play a role.
Of course money is important too – if it is spent in the right way and not on shiny new software that looks like fun to install but brings little value.
4. Poor strategic design
Cyber security strategy needs to come from the top with a focus on strategic business goals. If there is an exclusive focus on tactical issues, such as patching, the bigger issues, such as privacy compliance or the continued ability to trade during a cyber-attack, may get lost.
There is a need for real maturity of thought here, a deep understanding of the causes and business consequences of cyber breaches. The CIO may well not be the best placed person to guide strategy as they may not have enough insight into security. The CISO may also be the wrong person as they may not have a focus on business outcomes. Getting the right level of expertise in the leadership team is difficult, but essential.
5. Poor strategic execution
A lack of accountability and no oversight at senior level may well mean mistakes go unnoticed, unchecked. Perhaps the wrong resources are allocated because the strategic intentions are not well understood. Perhaps there is poor implementation of frameworks or compliance with standards because the people responsible and the people accountable never talk. Perhaps the agreed strategy is delegated to an IT department, where it is misinterpreted or ignored in favour of more important (i.e. more interesting) activities.
6. A lack of continuous improvement
The cyber security landscape changes at a frightening speed. It demands constant attention if strategies are to remain relevant and tactics to remain effective. A good security framework will include internal and external benchmarking and a constant willingness to evolve in response to change. Clarity of objectives is also essential and as part of that there should be a common understanding of security metrics and their significance to the business.
7. Communications and culture
People are at the heart of organisations – and the heart of organisational security. Any organisation needs to build up a culture where people are aware of the importance of security and understand how to maintain it. There needs to be a general acceptance that cyber security is the responsibility of everyone, from the CEO to the newest intern.
Leaders set the desired culture; but developing the right culture is largely a function of good communications – vertically and laterally within an organisation, and also between an organisation and the other organisations it interacts with. Poor lines of communication weaken culture and destroy the ability to respond to a cyber security crisis.
With increasing numbers of people shopping on line, understanding payment security is more important than ever. The Verizon Payment Security Report 2020 has found a marked decrease in PCI DSS (the Payment Card Industry Data Security Standard) compliance, which indicates that many organisations are putting customers’ financial details at risk. This year’s report found that only 26.9% of businesses were compliant throughout the year. In 2016, that number was 55.4%.
Main image courtesy of iStockPhoto.com