Boards continue to be held accountable for cybersecurity failures. (Shareholder Suit Against Wendy’s for Cyber Breach) Its déjà vu all over again. As we go into 2017, it appears we will have to continue to beat the drum in favor of board level education and training around cybersecurity. You would think they would all get it by now, but the surveys say otherwise.
Certainly, board education is critical but it is just one part of the puzzle. To make a real dent in managing cyber-risk, the organizational culture must change. Everyone in the company must understand the threat, understand their role in prevention and recovery and cyber-risk must be part of every business decision. A company whose culture has inculcated these characteristics is well on its way to effectively managing the risk in cyberspace.
So what does it take to change the culture of the company? No matter what aspect of the culture you are trying to change, culture change has to be initiated, supported and implemented under the leadership of the CEO. If the CEO does not lead the culture change, it is not going to happen. Nowhere is this more important than in getting a company to adopt a cybersecurity culture. The CEO needs to aggressively pursue three specific training threads and they must be synchronized, coordinated and mutually supporting.
The first level is user training. Surveys continue to show that user training is not well done, if it is done at all. The smaller the company, the less likely it is to invest in any type of user training. For those companies that do conduct user training, whether they are large or small, the majority accomplish the training during the onboarding process and recurring training is sporadic at best. Overall, users continue to find the training boring, not relevant and simple tests like phishing exercises show that the training is not particularly effective. User training must occur regularly since the threat changes constantly and the user technology changes as well. Short, relevant bursts of training are more effective than long annual sessions. And senior executive participation and engagement is a must to show that the training is important for everyone in the company.
The second level of training is Board training. Some type of Board training is becoming more common, although not many boards invest the three to four hours necessary to get a solid foundation in cyber-risk oversight that includes an appropriate level of technical education so they can have an “adult” conversation with the CIO or the CISO. If the Board invests in the foundational training, they typically do not get the periodic refresher necessary to stay current. Educated Boards ask the right cyber-risk questions and more importantly they understand the answers. Like all education, this cannot be a one-time event. It must be a process of continual learning.
The third level of training, and one that is not typically accomplished is training for the SVPs, VPs, directors and mid-level managers and supervisors that builds on and is synchronized with the Board training. Companies that do a pretty good job of user training and also invest time with their boards are probably missing a critical link in training all the managers that work between the CEO and the line employee. Those business unit leaders, HR people, accountants, business development execs and others need to get a version of the Board education so they understand what their responsibility is in helping to establish a culture of cybersecurity. This mid-level manager training should talk cyber-risk management appropriate for the level of supervision. It should support the tone set at the top by the Board and CEO. If the leadership levels below the CEO do not understand and embrace their role in setting a cybersecurity culture, then culture change will never occur, no matter how hard the CEO works at it.
Tying these three levels of training together is best accomplished when the training is specifically designed top to bottom ensuring that the message is consistent from the Board down to the most junior employee. Everyone has to understand their role in establishing and sustaining a culture that says cybersecurity is critical to our business success.