Cyber security is moving from having purely technical relevance to increasingly societal relevance, affecting the way we live our lives and honour our obligations. Business leaders must respond by engaging cyber security specialists who understand psychology, sociology and criminology aspects, but also know how to leverage technological innovation, that can scale to meet the challenges head on. This expanded viewpoint feels natural for those of us who have been in the cyber security industry long enough and have the relevant experience to know that building a risk aware culture is a priority.
At the heart of most corporate cyber crisis lie the risks involved in managing people. After a host of scandals during the present century, companies recognise that policies and procedures count for very little if they ignore the human element. Efforts to tackle the matter are being made, yet major breaches keep happening. Credit-checking group Equifax this year blamed “human error and technology failure” for one of the largest data breaches in history, affecting more than 145m people in the US alone. Poor communication of risk and execution at the people level was the suggested cause.
“People risk” can range from deliberate acts of fraud or sabotage to failure to follow rules, poor training, strategic miscalculations or someone opening a virus-infected email. Globalisation and technological change add complexity to the risks companies face and the speed with which problems can escalate. The effects of poor human risk management can be long-lasting, costing millions of dollars in clean up activity, heavy fines, and lost customer trust. A culture of hiding mistakes, compounded by human weaknesses in understanding the basic cyber security principles can often be the root cause.
The purpose of cyber risk management, however, is to allow risk to be taken safely; innovation depends on risk. On the whole, financial firms are getting better at managing cyber risk; they have more money to throw at the challenge, or because they have been regulated to do it. They have deployed safeguards, such as enterprise risk management (ERM) systems, and Governance Risk and Compliance (GRC) platforms, however, these create a false sense of security because they are not directly engaging with employees on a regular basis to manage human risk. The outcome of great human risk management is the success and resilience of the business. Available research suggests there are five principles needed to achieve business resilience: 1) the ability to anticipate problems; 2) adequate resources to respond to changing conditions; 3) a free flow of information up to board level; 4) the capacity to respond quickly to an incident; and 5) a willingness to learn from the experience.
CEO’s and business leaders still need to set the tone at the top, define the corporate culture and standards of behaviour, but it’s the CISO and their security teams who need to build trust among employees. Employee relationships with the cyber security teams can become more detached if we simply rely on legacy outdated methods of education and awareness. It’s important to understand how to improve decision-making, to identify vulnerabilities, remain in compliance and reduce unsafe behaviours; by bringing together quantitative tools of risk management with a qualitative psychological perspective, to build a risk aware culture.
The human risk factor and increasingly societal relevance of cyber security, means we must go beyond simple tick box exercises and not assume our people are engaged because they passed an annual test or didn’t click a phishing simulation link. It’s undeniable that organisations need to lift their cyber security culture game to address the elephant in cyber security’s room - the “human factor.” Organisations can do a better job, by calling data sources together they already have, using a scalable technology platform solution to deliver tangible rewards from improvements in human risk management. Stop looking at your people as the weakest link, engage with them often, build trust and empower them to become the strongest link, because without people....your proccesses, your technology simply won't work!
Let me know your thoughts, please comment and/or direct message me on here to continue the conversation. Happy to discuss how I’ve applied human risk management strategies to build a more cyber resilient business, and by using an innovative scalable technology platform and how I've been able to accelerate human risk reduction and build a sustainable risk aware culture.
Darren is an Industry Fellow at Chartered Institute of Information Security’s (CIISec), board member and keynote speaker with over 20 years’ cyber leadership experience. Former Group CISO for Qantas Airlines, FinTech Group CISO and executive positions at IBM, Group Chief Information Security Risk Officer for Standard Chartered Bank. He was ranked in the Top 100 Global Chief Information Security Officers (CISO) in 2017 and 2022, and Top 100 Global Cyber Security Influencers 2016 & 2017 by SC Magazine.