Why Many Organizations Still Don’t Understand Security

I hear it all the time.

“My management just doesn’t ‘get’ security.”

Or, “We tried those cyberactions a few years back, but now our execs are on to something else.”

And all over the world, people say: “My management thinks that we’ve had no major data breaches, so we must be doing something right.”

Or, “Our tech leaders are obsessed with (fill-in-the blank) security solution, but they don’t seem to care about anything else. While that product is great, we have so many other holes that are not being addressed.”

Sponsorships Available

Sponsorships Available

Sponsorships Available

Or, “We’ve had so many vacancies for so long, that this has become the new normal. Every time we get a few people in, we tend to lose others just as fast. There is just nothing that seems to work consistently.”   

Or, “I’m ready to give up and move on. I’m so frustrated. Our leaders jump from one shiny black box to another almost like the latest diet fad. But we never implement things properly.”

Finally, how about, “Sadly, our leaders say we’ve been there, done that, and got the cyber T-shirt. After we checked that major compliance box, there’s no more budget to maintain the solution or keep staff.”

I could go on and on, but the sentiment from a surprisingly large and diverse set of public- and private-sector technology and security pros is that (for any number of reasons) their organizational culture and executive leadership does not understand, or maintain, or listen to, or follow through on needed cybersecurity actions to protect the enterprise effectively.

I typically hear these types of comments after I give a presentation at a security or technology event, and the sentiment usually comes from frustrated IT or security staff. Occasionally, I hear similar lines from executive leaders like CISOs and CTOs as they adjust to new situations. Sometimes, I will hear these types of comments from auditors or former employees of an organization who “had to get out of that place because something was going to blow up.”

This blog will attempt to expose some of the reasons why these perceptions are happening and offer a few potential tips to help change the conversation and security priority.

Show Me the Data 

But just in case you think this topic is subjective, here is some data from Tripwire, as reported by ITWorldCanada.com last year:

• Only 11 percent of respondents believe their organization tracks all hardware devices on their networks;
• Only 21 percent say their organization tracks more 90 percent of their software, while 56 percent track less than 70 percent;
• A third of respondents said their organization doesn’t require changed default passwords, 41 percent still don’t use multifactor authentication for accessing administrative accounts, and 43 percent do not require unique passwords for each system;
• More than a third (38 percent) said they still struggle to enforce configuration settings;
• Almost two-thirds of the organizations admit they do not use hardening benchmarks, like CIS or Defense Information Systems Agency (DISA) guidelines, to establish a secure baseline.

So the million-dollar question is why. Why does management under-invest in cybersecurity over time?

An excellent report by the Harvard Business Review (HBR) in 2017 explored this question.  Here’s an excerpt:

“In the case of cybersecurity, some decision makers use the wrong mental models to help them determine how much investment is necessary and where to invest. For example, they may think about cyber defense as a fortification process — if you build strong firewalls, with well-manned turrets, you’ll be able to see the attacker from a mile away. Or they may assume that complying with a security framework like NIST or FISMA is sufficient security — just check all the boxes and you can keep pesky attackers at bay. They may also fail to consider the counterfactual thinking — We didn’t have a breach this year, so we don’t need to ramp up investment — when in reality they probably either got lucky this year or are unaware that a bad actor is lurking in their system, waiting to strike. …

The problem with these mental models is that they treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. No matter how fortified a firm may be, hackers, much like water, will find the cracks in the wall. That’s why cybersecurity efforts have to focus on risk management, not risk mitigation. But this pessimistic outlook makes for a very tough sell. …”

The report goes on to offer some potential answers / solutions like:

• Replace your CEO’s mental model with new success metrics.
• Survey your peers to help curb overconfidence.
• And, train internal staff and run your own penetration tests.

Of course, some public-sector and small private-sector organizations may not have adequate funding to properly secure the data collected. However, those situations tend to be the minority of sentiments expressed. In most cases, tech and cyber staff feel the organizations have the resources, just choose to use them in other ways.   

I also really like this presentation from a few years ago on the topic “Executive cybersecurity in 8 minutes” from Maj. Gen. Brett T. Williams, USAF, (Ret). While the technology may have changed the basic points he makes are still valid.  

My Tips for Positive Changes in Enterprise Cybersecurity

So what do I recommend? In reality, this question is at the heart of what I have been writing about in my blog over the past decade — with a special emphasis on government. Here are some topics that I examine in details at the blog/article links provided

• How to get management support for security
• After bad security audit findings, is there a silver lining?
• What are some keys to ongoing success in government cyber programs?
• Seven keys to create a positive cyber culture

Another approach is to examine good case studies from peers doing a good job over time. Here are some examples:

• State of Missouri cybersecurity program under CISO Mike Roling’s leadership
• Lear Corporation’s cybertraining as a corporate best practice in security awareness training.
• New Jersey’s cybersecurity program and Security Operations Center
• Focus on cybersecurity by the National Governors Association

Consider looking at your industry-specific data breach numbers, and discuss those metrics and reports with your management team.

Also, on a personal level, finding (and sticking with) a professional mentor can help put your situation into an industrywide context. You won’t regret getting that outside perspective.  

Final Thoughts

Recently, I was very impressed with the steps being taken by Beaumont Hospital following a large settlement with state and federal regulators last year.

The amount of sign-offs and audit work to verify responsibility and accountability is amazing, and everyone in their organization has a new, strong and motivating role in ensuring that security controls are being implemented and enforced. Yes — this was a after a major, costly settlement with ongoing external (federal) oversight. However, they have certainly taken that big lemon and are making lemonade out of past mistakes.

[Note: The Beaumont situation was not a data breach, but the incident still has the described effect.]

The sad truth is that some organizations don’t change until after a major data breach. The new management walks the talk and lights a fire under the security program in order to recover.

Nevertheless, security and tech pros can take meaningful steps to help your organization “get” cybersecurity.