Why our leaders could be our weakest link
Those of us who are paying attention, or have been involved in Cyber Security, Data Protection or Information Security for any length of time, will have seen a number of trends that continues to this day. Firstly that Cyber crime and data breaches aren’t decreasing – they’re increasing, and secondly we are repeatedly told that ‘User error’ is the number one cause for these breaches.
Personally I believe that there is no such thing as an infallible IT system, because IT systems are built and used by humans. There are studies that have shown Artificial Intelligence (AI) systems which have inbuilt biases, because they were designed by humans. There was/is a saying “To err is human. To really foul things up you need a computer.” I think the correct version is “To err is human. To really foul things up, you need flawed thinking.” (not as catchy I know).
Flawed thinking; “It’s an IT issue!”
So what can we do to reduce the amount of data breaches and lessen the impact of Cybercrime? Normally at this point you’d hear someone shout ‘provide staff with more awareness of the risks’. And I would agree, to a point. But it’s not just ‘staff’ that need this. Yes we should train everyone, but there are those at the top of the organisation that need very specific training and awareness.
You see, when we speak to business owners and leaders, we hear how “Protection of information is of paramount importance to us!” (usually you hear this AFTER the data breach) yet when challenged on what this actually means, they’ll often point you to the IT department and tell you it’s their responsibility. Or they’ll say “We need to train our staff on what to look out for”. Well here’s the benefit of 20years in Information security, underpinned with 35 years working in IT… Staff usually know what the issues are – it’s just not important to them, because they don’t think it’s important to you!
Does that sound harsh? Now, don’t get me wrong. I’ve seen a shift in thinking over the last few years and it’s fantastic to see. There are some great leaders out there who are making sure that Data Protection is hardwired into all they do. But this needs to happen more, and I’m sure it will as the current Board room is replaced by a more technical aware and ‘people-focused’ group of people.
Leaders; Lead by example
Unfortunately however, we still find ourselves talking to business owners or leaders who point elsewhere and say “It’s their responsibility to protect data. Give them more training.”. This is said as they leave to sit on a train discussing business deals over the phone (In a busy carriage) or working on that ‘All-important’ sales strategy which clearly outlines how they’re going to dominate the market (in a busy carriage). Do you see where I am going?
These are the kinds of leaders that will state their staff must have more training, then tell you they are too busy to do the training too. Or will say that Information Security is important, but won’t buy a ‘Privacy screen’ (for £9.99) for their laptop. They are the same people who will demand to know why the systems were breached, but refused to increase the budget for a Penetration test of the network. And finally… These are the leaders who sit in meetings, looking at their phones, working on their laptops whilst the person ‘responsible’ for Data Protection and Information Security explains why we need to invest in more training, consultants, hardware, software or whatever it is that they need.
Your children are watching
Like a parent-child dynamic, employees look to the leaders to set the tone and the direction of the business. They are looking to see how you behave and if you behave anything like the above, then you WILL have a crisis on your hands. Because if you don’t believe information security and data protection is important, then neither will your team.
What can you do?
The answer is simple;
- Be visible.
Even if you’re really NOT that interested, fake it! Let others see that you are actively engaged, even if it means turning up to the first 5 minutes of a 2hr session on Information security. Tell the audience how important this topic is and that you’re sorry you can’t be there, but you will be looking for feedback from attendees and the organiser and setting up a separate debriefing session later.
- Lead by Example.
If the rule is that everyone has a PC, then don’t insist on having a Mac, just because “they are way cooler than a PC!”. If the rule is that everyone needs to have a Privacy screen, then get one.
- Put Data Protection and Information Security on the Board room agenda
One of the clearest indicators of success is that these topics are discussed around the Board room table. Make someone responsible for these topics at the highest levels, and don’t put it at the end of the day when it’s likely to get 5 minutes air time (This is the voice of experience here!). Putting it simply; Put Security ON the agenda, before it BECOMES the agenda.
Finally… Please, please, please stop saying that Information Security and Data Protection is an IT issue! This thinking is so outdated it’s almost embarrassing! If you need to be reminded; Data exists in paper folders. It sits on phones. It sits in peoples heads. It comes out of their mouths. Protecting data isn’t only about having a Firewall! It’s about knowing where your data exists and the risks to it.
But things are changing. Slowly. I’ve been asked to present to a Board room of 6 business leaders who want to know what the REAL threats are. When I asked how long am I expected to speak, they responded, “You have 2hrs”. I think I should just about be able to cover all I need to cover in that time, whilst still having time for questions.
Mahatma Gandhi once said “Be the change you want to see in the world” and whilst I don’t think he was thinking about Cyber Security Leadership, it’s still relevant. If you want to build a stronger, more secure business, start at the top.