There are few things as important in cybersecurity as the involvement of upper management. If the C level executives aren’t involved or don’t see the point, no cybersecurity strategy will be successful. Here are 10 ways management fails at cybersecurity and what you as a security professional can do to address them.
10 ways management fails at cybersecurity
1. Failure to allocate resources
Even if management tells you that cybersecurity is important, if they don’t back that up with sufficient resources, you will not be able to get the job done. The implementation of an organization-wide security program can not be done for free or at low cost. It can also not be done without spending time and energy.
This is one of the worst of the 10 ways management fails at cybersecurity. If you are facing such a situation, remind them that every organization gets the cybersecurity it is willing to pay for. If you pay peanuts, you get monkeys. If your management is serious about cybersecurity, they will be willing to allocate a reasonable amount of resources to a well laid-out plan. You do have that, don’t you?
2. Thinking that security is an IT issue
IT is incredibly important for any organization nowadays and for that reason alone it is important to secure your IT resources well. But it is nonsense to think that cybersecurity can be solved by IT or that it can be solved by securing your IT alone. Now matter how many next-gen firewalls you buy or how much you spend on antivirus software, it’s only taking care of part of the problem.
Remind your management that every person in the organization is a potential avenue for a security breach. All employees must be trained, processes must be audited and each system must be secured if you plan on having a successful cybersecurity strategy.
3. Not realizing what’s at stake
An organization is more than the people that work there or the building(s) in which it is housed or the products it delivers. An organization has an identity and a reputation in an ecosystem of companies, organizations and customers. That reputation is often worth much more than a building. Your company’s most valuable asset is how it is known to its customers. It only takes one security incident to wipe out this carefully cultivated reputation. One major data breach at a financial institution and customers may well walk out.
Management has often spent considerable time and effort in cultivating this reputation, sometimes over the course of decades. An unwillingness to take cybersecurity seriously may directly undermine all they have worked so hard for. And who wants to see all their work go to waste?
4. Treating cybersecurity as a product
Cybersecurity doesn’t come neatly packaged and shrink wrapped, ready to be deployed. It’s not something you can buy (although some vendors may make you believe that). Cybersecurity is a complete range of products, procedures, countermeasures and training that are embedded in every department or team of an organization. It requires daily attention and fine-tuning.
Remind managers that sales pitches are just that: sales pitches. Personally, I’d rather have well trained and security aware staff than the latest and greatest firewall. A working cybersecurity program is only achievable through a layered defense.
5. Lack of vision
Also a bad one among the 10 ways management fails at cybersecurity. As with any program, you need a goal to work towards. A cybersecurity strategy should be intimately interwoven with and directly supportive of the organization strategy. While drafting effective cybersecurity measures, you will inadvertently stumble upon risks and problems. When management is made aware of a problem, it should be acted upon, not brushed aside. One of the characteristics of great leaders is the ability to recognize problems before they become emergencies.
Every manager wants to be seen as a good manager. Help them become that great leader by showing them the existing problem with a proposed solution. This way a proactive approach to security becomes a vehicle for managers to show their leadership qualities.
6. Thinking only about the cost
Unfortunately, some managers only think about the cost of a cybersecurity program. They feel it is a waste of resources to invest in something as intangible as security. After all, we have just seen that cybersecurity isn’t a product. They may not recognize the added value of security.
Managers like this can be hard to convince but it may help to remind them that there is a risk involved in inaction. If we want something to improve, we have to put effort into it in terms of money or time or both. The long range cost of inaction may be far greater than the resources it would take to establish an effective cybersecurity program.
7. Thinking we have too much security
Security should be tailored to what it is intended to secure. You won’t spend 1 million Euro to secure something that would only take 10.000 Euro to replace…unless it is worth 1 million euro to the organization. Unfortunately, cybersecurity is not something you can sometimes relax about. If there is a risk, rest assured that someone will eventually exploit that risk and cause damage.
Remind such managers that risks always exist and that is therefore always necessary to recognize these risks and take appropriate countermeasures to mitigate them. Managers are responsible for the security of their processes and not taking appropriate countermeasures may come back to haunt them.
8. Failing to prepare
When a serious cyber incident occurs, there is nothing even the most powerful CEO can do about it. It’ll be too late. They’ll be at the mercy of experts, relying on measures that have been taken in the past and the incident response plan. Even though, as the old saying goes, no plan survives first contact with the enemy, it’s critical that you have a plan in case something happens. When a serious incident like a ransomware outbreak happens, you won’t have time to think about your response. You’ll need to act! If you’ve never thought this through and you don’t have an idea of what to do or who to call, you’ll make mistakes, you’ll waste precious time arguing and you will make containment and recovery that much more difficult.
Managers who do not take the need to prepare seriously, would do well to remember the old boy scout motto: Be prepared! Just like a fire brigade trains how to handle fires, trains who does what during an emergency and who makes the decisions, so too should your security team. When the time comes (and it will come) that a serious cyber incident occurs, there will certainly be pressure but at least everyone will know what to do.
9. Not setting an example
Everyone knows this type of manager: the rules apply to everyone but not to this individual. He or she is just too important. No one is allowed to take sensitive documents home but this person regularly sends them to their personal email address, refuses to secure his/her cellphone or laptop, etc. Managers like this are detrimental to the functioning of your cyber security program. An attitude like this trickles down to their employees or even to other managers. There is no easy cure for C-level neglect and managerial non-compliance.
A good manager will lead by example, also when it comes to cybersecurity. If a manager like described above will not fall in line, even after discussing matters with them and explaining why their compliance is vital, you may have no alternative but to go to their senior if they have one. Make sure to make reports of discussions you had with such individuals and keep a copy of emails sent to them. If push comes to shove, the record will show that it wasn’t for your lack of trying.
10. Hit snooze on the wake-up call
What is nicer than hitting the snooze button on your alarm clock early in the morning and just staying in bed a little while longer? The only trouble is, you do it too many times, you’re going to oversleep. This can happen with cybersecurity as well. Often there will be signs something isn’t right long before a major incident occurs. A report from the CISO for instance, about procedures that aren’t being followed or vulnerabilities that need to be addressed. Of course a manager has to balance resources and make decisions so sometimes, hitting the snooze button is legitimate. But when that alarm keeps blaring every month, a manager should realize that something needs to be done.
Incidents should lead to changes or updates in policy or the introduction of additional countermeasures. Remind such a manager that he/she is responsible for addressing such issues and for taking appropriate action. Prepare a proposal for them to decide on. If that doesn’t help, again you may need to go over their head to get the matter addressed. Failing to take care of issues may come back to haunt them, especially if there’s been a string of reports that preceded a major cybersecurity incident.
The above are 10 ways that management fails at cybersecurity. Have you encountered one of these and if so, how did you address it? Do you have any comments or tips and tricks for cybersecurity professionals who deal with such issues? Are there other ways management fails at cybersecurity? Let me know in the comments below!