According to Deloitte, “91% of all cyber attacks begin with a phishing email to an unexpected victim.” Those unexpected victims are at all levels of organizations. They are in accounting, marketing, sales, the C-Suite, IT, and other areas. Sometimes even staff in the cybersecurity are compromised. Occasionally the individuals themselves are given full blame for the attacks. In fact, the former CEO of Equifax did just that, blaming one person for knowing the vulnerability that led to the breach was in their systems, but failing to inform the patching team.
With all due respect, the former CEO of Equifax is wrong.
He’s not wrong that the actions of one person can have a disastrous effect on an organization and its stakeholders (including millions of people, as in the case of Equifax). But he is wrong to lay the blame on that one person.
The problem isn’t that one person didn’t do their job. The problem is that there was no process in place to ensure that the job was done.
In our NIST Cybersecurity classes we reference both the NIST Cybersecurity Framework and the NIST Risk Management Framework. In the latter NIST defines three levels to an organization. In simple terms the levels are Executive, Management, and Technical. Please forgive me for going a bit deep here. Let’s summarize the responsibility of each level in relation to cybersecurity.
- Executive: Describe the mission, vision, and overarching goals and objectives of the organization. Define the overall cybersecurity strategy, determine risk tolerance, and wield ultimate decision-making authority. Confirm decisions are carried out that meet executive requirements and serve the organizational stakeholders.
- Management: Make risk management and cybersecurity policies, processes, and procedures based on the decisions of the Executive level. Confirm Executive agreement with, support and approval of, and participation in policy plans. Assign implementation tasks to the Technical level. Confirm policies and implementation tasks are executed in such a way as to meet Executive requirements. Report to the Executive level.
- Technical: Implement Management policies in technical solutions, verify implementation, and report results to the Management level.
Now, back to why the Equifax CEO, and any other C-Suite member who blames a person at the Technical level for a major breach, is wrong. Let me start by saying, anyone, at any level can make a mistake, overlook something, have a brief lapse in judgement, or (in rare cases) be a malicious insider. Those are problems. But they are all problems that can be mitigated, and there are only two ways to mitigate them.
The first way? Technical solutions. Hardware, software, and configuration settings. It’s what most people think of when we discuss cybersecurity. A person could argue that proper implementation of technical solutions could stop, or at least decrease the impact of the incredibly high percentage of breaches that are caused by human error. That’s true in some cases, but not all.
The second way? Policies, processes, and procedures, including sufficient checks and balances to confirm “proper implementation” of technical solutions AND user engagement of cybersecurity practices.
Why did Equifax get breached? Not because one person didn’t do their job. No, Equifax was breached because there was no process in place to make sure the job was done. The Management level didn’t create a process…and the Executive level was either unaware or had abdicated their responsibility to make sure the cybersecurity strategy had proper checks and balances.
At LRS Education Services I work with people at all three levels, doing cybersecurity assessments, teaching cybersecurity classes, and I hear stories that bring fear to me. These organizations have basic cybersecurity lapses that would be relatively simple to exploit for a MAJOR breach. They are energy companies, financial entities, health care providers, government departments, educational institutions, and so many other industries, and you know a major reason why they aren’t secure?
The C-Suite is neither supportive of nor participating in cybersecurity for the organization.
Simply put, based on behavior and lack of allocation of resources, the Executive level does not care about cybersecurity.
I can tell you how to dramatically increase the cybersecurity at your organization. It’s not complex to explain.
- Get the Executive level to consider cybersecurity risk at the same level as other organizational risk, such as financial risk.
- Work with all three levels, and outside experts, to determine a framework upon which to focus your cybersecurity program.
- Have the Executive level very visibly promote, support, and participate in cybersecurity for the organization by being part of making strategic cybersecurity decisions.
- Make sure each executive does their job in a way that shows their commitment to cybersecurity.
- Have the Management and Executive levels work together to create policies, procedures, and processes, with necessary checks and balances, to confirm implementation. Include regular reporting to the Executive level.
- Allocate sufficient resources to the Management and Technical levels to have hardware, software, time, and personnel to meet the requirements of the policies, procedures, and checks and balances. Include regular reporting to the Management level.
Did you notice that technical solutions didn’t even get mentioned until the last step? Everything hinges on the Executive level. If the executives aren’t properly engaged, then you’ll never have a strong cybersecurity program.
It’s that simple.
Want more details? Come join us for an upcoming LRS NIST Cybersecurity Framework Bootcamp course!
-Troy Stoneking, NIST CSF Certified Trainer and Assessor