Cybersecurity: Why It’s Not Just About Technology

To protect their systems from attacks, organizations need to build a culture of risk management from the ground up.
October 29, 2014
By Patrick Mallory  |  Contributor
Patrick Mallory is a consultant to federal and state agencies for Deloitte.

With cybersecurity breaches on the rise, one thing is clear: The current defenses of U.S. organizations -- both public and private -- do not rival the skill, persistence and prowess of those who seek to wreak havoc on our information-technology infrastructure and operations. What many organizations are doing in response to this growing and pervasive threat often stops with efforts to secure their systems through technology without a continued focus on building and sustaining a culture of deterrence and vigilance.

The problem with this approach is that attackers and their tools are always changing. While no one doubts the need to establish a systematic, technology-based way to protect against breaches, attention is rarely paid toward building a culture of security from the bottom up. For organizations that do, the results are easily quantifiable: According to a recent survey commissioned by PricewaterhouseCoopers, CS magazine, the Secret Service and Carnegie Mellon University's Software Engineering Institute, organizations that conduct ongoing employee training and awareness programs see their financial impact from security breaches drop to an average of $168,000, a quarter of what those without such programs lose ($683,000).

When you combine numbers like those with the fact that the average number of security incidents that the 500 survey respondents reported facing last year was 135, the figures are eye-opening. And, of course, monetary losses don't account for the loss of public trust.

So what can be done? It all begins with a conversation, at the executive level down through to the most junior of staff.

At the executive level, the National Association of Corporate Directors, the American International Group and the Internet Security Alliance suggest a set of principles: While executives need to understand the complete implications of cyber risks, they also need to understand that cybersecurity is not just an IT issue but is part of enterprise-wide risk management. They should set expectations that enterprise-wide risk management is a priority that will be adequately staffed and funded. And executives need to have access to cybersecurity experts and regular discussions about cyber risk management, including how to respond to different types of risks.

In West Virginia's state government , that conversation is spearheaded by an executive-branch information-security team and a privacy management team, each established by a 2006 executive order. Through an information-security strategic plan, the state has the ability to utilize controls and emphasize policy, training and regular audits for compliance, something that a majority of states do only on an ad-hoc basis.

At the staff level, organizations have the opportunity to educate employees on how to recognize and prevent attacks, something that only 46 percent of the organizations surveyed do. For those that do have these programs in place, 42 percent say their security-education programs have played a key role in deterring attacks. Topics often include how to handle suspicious emails and links, the role social media can play in attacks, encouraging staff to speak up if they notice something suspicious, maintaining control of user access and establishing strong password practices.

A 2012 Deloitte-NASCIO cybersecurity study describes how North Carolina's Office of Information Technology Services has provided agency personnel with the means to assess, validate and address vulnerabilities and easily report back to the state's centralized vulnerability-management tool. The statewide platform assists not only in sharing data but in supporting each agency's systems.

The message should be clear: No matter where you are in your organization, cybersecurity is your responsibility. Unfortunately, much work remains to give each employee the tools, forums and support to make such an enterprise-wide approach the standard. Fortunately, that work begins with a conversation.