written by Pierluigi Stella
A while back, I wrote that it is time for companies to start treating cyber security the way processing plants (i.e., refineries) treat physical security. When you walk into such a plant, you can tell that security is the primary concern of every operation and every person in that building.
There’s a board at the gate showing “number of days without incidents“.
You walk in and are instantly ‘assailed‘ by posters inviting you to “think security“, “if you see something say something“, “use hard hats”.
And so forth.
Security is an obsession for these companies, because they know all too well the consequences of an incident.
And given its importance, security permeates the company all the way from the lowest level employee all the way up to the chairman and board. As it should be. In my blog post, I stated that businesses (and by that I mean all businesses) need to treat cyber security the way process plants treat physical security. They need to make it part of their business decision-making; they need to make it part of the company’s culture; they need to ensure that cyber threats remains top of mind in every single action and decision undertaken by every single employee and executive, each and every single day. And yes, I am using _every_ over and over, and yet over again because I simply cannot stress more how important it is that security becomes truly pervasive.
This article by Daniel R. Stoller goes very much in this same direction.
SECURITY IS NOT A NUISANCE.
And the attitude adopted by many boards that business comes first, has to stop. Business can only come first if business does not endanger the entire company. And that is the mindset responsible boards need to be taking.
At NBUSA, we deal with many banks as clients. And sometimes, it happens that we block an email from a potential or existing client of theirs. The reason is often that the email originates from a compromised IP address which is known to be sending out malware. I’ll tell you that the ensuing reaction of our client is a tell tale indication of their attitude towards cyber security. I’ll explain. I’ve had a client fire a vendor because the vendor’s IP addresses were compromised. And I’ve had a client threatening to sue our company because, according to them, by blocking those emails we risked causing them a loss of business.
Clearly, one client had a very responsible attitude towards cyber security, in that they’d much rather lose the business than risk compromising their company. The other client had the exact opposite reaction – willing to compromise the entire company without a concern for the individual who wanted that email? Why is that? Because that second client does not make security a priority for all employees. So the loan officer who wanted that email at all costs, cared nothing about the potential cyber threat because within that company framework, it was not his concern. And because security is (obviously) not a pervasive culture in that company, it makes them a sitting duck for threats to spread, since no one aside from IT apparently seems to care about the safety of their information.
Security is achieved best when the culture of the company has the word security written all over it. And for this, as the article correctly states, the mindset needs to change at the top, starting from the board.
THE MINDSET MUST CHANGE.
Only when the board starts making business decisions based also on security considerations, will the culture of the entire company change in the right direction. If that loan officer could be fired for endangering the company, he’d think twice the next time someone tells him that an email he’s waiting for could contain a threat.