4
Do Business in a Digitally Resilient Way
Most organizations think of cybersecurity as a technology responsibility, and it is—at least to an extent. Cybersecurity addresses the risks of information in digital form, and many of the ways companies can protect their information assets are indeed technological, in the form of either security controls or improvements to the broader IT environment.
However, achieving digital resilience requires far more than technology change. As noted in Chapter 3, changes in business processes can have an enormous impact in protecting important information assets. Two levers in particular point the way in driving change far outside the IT organization: integrate cybersecurity into enterprise-wide risk management and governance processes, and enlist frontline personnel to protect the information assets they use.
The first lever requires getting managers in almost every business function to take protecting information assets into account as they make an endless set of decisions that affect their company’s exposure to cyber-attackers.
Most, if not all, of these decisions involve trade-offs between accepting some form of business risk and furthering a business objective. Companies cannot force executives to take cybersecurity into consideration with rules and mandates; they have to help them both understand the risk implications of the actions they take and also accept their responsibilities as stewards of the company’s information assets—just as they are of the company’s financial assets.
The second lever pushes the change in mind-set from executives down to frontline users. Every day, every employee who has access to a desktop, laptop, or mobile device has the potential to increase the company’s risk by clicking on the wrong link or e-mailing a file to the wrong place. Companies need to help frontline users understand the value of the information assets they touch every day and put in place a set of mechanisms that encourage and enable them to interact with the company’s technology environment in a responsible way.
To do business in a digitally resilient way, executives across a range of functions will have to provide ongoing support for some fairly extensive behavioral changes among managers and frontline employees.
BUILD DIGITAL RESILIENCE INTO ALL BUSINESS PROCESSES
Cybersecurity is intertwined with almost all of an institution’s major business processes. As we saw when we looked at prioritizing information assets, every step in most business processes uses sensitive data, and every cybersecurity policy places some constraint on how functions such as marketing, operations, and product development undertake core business processes.
Unfortunately, collaboration between the cybersecurity team and many business functions is weaker than it could be. Business managers see cybersecurity as the CISO’s or chief information officer’s (CIO’s) responsibility, and cybersecurity managers have been developed and promoted on the basis of their technical expertise rather than for their ability to understand and connect with business leaders. As a result, business decisions involving product design, customer interactions, and vendor contracts can expose important information assets to unnecessary risks, and cybersecurity policies can diminish customer experiences or hurt a company’s negotiating position with vendors.
To achieve digital resilience, companies must create much tighter connections between the cybersecurity team and each critical business function—product development, marketing and sales, supply chain, corporate affairs, HR, and risk management—in order to make the appropriate trade-offs between protecting information assets and operating key business processes efficiently and effectively.
Product Development and Management
Bank customers and hospital patients quite reasonably expect that their personal data will be protected from theft. They also expect to be able to access their information online with relative ease and without cumbersome security controls. Hospitals themselves expect to be able to integrate connected medical devices into their operating rooms without creating new security vulnerabilities or forcing medical staff to learn complex protocols. However, these tensions will increase as ever more companies create richer digital connections with customers and the Internet of Things builds an even wider variety of network-connected products.
No wonder, then, that cybersecurity issues increasingly feature in products’ value propositions. Both retail and commercial buyers think about security when making purchasing decisions, especially in sensitive industries, and negative press coverage of a breach can hurt the reputation of not just the producer but also the vendor, reseller, or adviser. The customer experience, of course, also features highly in buying decisions, and cybersecurity has enormous implications for that experience. The ability to incorporate both security and a positive user experience at the product development stage will increasingly give companies a competitive advantage, but it requires a change in mind-set from both the product development and cybersecurity teams.
Understand Customers’ Preferences and the Impact on Customer Experience
Companies must understand how customers value data privacy, convenience, and the trade-offs between them. They are likely to react badly if their data are at risk because there is no protection against cyber-attacks, but if all the controls that companies install to manage that risk make their experience too painful, then they are also likely to turn their backs on the product. Standard customer research methods such as polling and focus groups can help companies understand the pain thresholds, and the business can observe customer behavior and reactions to different pilot approaches and combinations of controls, in the same way they would test the options of other nonsecurity features.
An online brokerage measures how long it takes, on average, for customers to complete a variety of tasks on its sites and then assesses new security controls on the basis of the additional time, in seconds, that they will add to important customer activities. These additional delays become part of the design and launch decision, with the business actively engaged in making trade-offs between customer experience and the security risk. If a particular control significantly hurts the customer experience, then the business can either decide to spend more to optimize the control and improve the experience, delay or cancel the feature that requires the new control, or sign off and accept the additional residual risk. Banks have learned that customers can view additional authentication layers as a positive. One institution tried to improve the customer experience by replacing its personal identification number (PIN) requirement with device recognition, so that the PIN was not necessary if a customer logged in from his or her own laptop or smartphone. Rather than appreciating the convenience, customers in fact contacted the bank because they were concerned that the security was broken. The bank reinstituted the PIN process.
In business-to-business (B2B) markets, less formal methods can be effective—it can often be enough to talk to customers on a regular basis. In some companies, informal connections with customers’ IT security teams can provide invaluable insight into those customers’ rising expectations that data will be protected and how those expectations will be translated into terms and conditions or decision criteria in upcoming requests for proposals (RFPs).
Incorporate Cybersecurity Costs and Considerations into Commercial Business Cases
New products often create new types of data or new ways of interacting with customers, which in turn create new vulnerabilities. The cybersecurity team therefore needs to make sure it has input before a new product is launched—and ideally even earlier in the product development cycle to avoid wasted or misdirected resources. The head of cybersecurity at a financial information services provider simply refuses to approve the business case for a new product until he fully understands the costs of securing the information assets associated with that product. He is fortunate to have that much power—not every CISO has an effective veto—but senior managers at the company understand the importance of security for their service offerings, and so they strongly support this requirement. They do not want to encounter unpleasant and costly surprises down the road, and they want to make sure their customers have full confidence in their security.
Build Security into the Product Development Process
The overlap between IT and product has steadily increased, even in many more traditional industries. Medical diagnostic tools are, in essence, network-connected computing devices that bear a health care logo rather than a technology provider’s logo on the box. New cars can have as many as 100 million lines of code.1 Even thermostats now connect to the Internet. Unfortunately, organizational structures have not moved as quickly as product characteristics. In many companies, there are organizational silos that divide information technologists working on new business products from their counterparts in the core IT organization. As a result, it is much harder to get an end-to-end view on risks and vulnerabilities across network-connected products and the IT applications used to manage and support them. This increases the risk that attackers could steal customers’ sensitive information or sabotage their business processes.
Companies need to increase their level of focus on the cybersecurity aspects of business products and build links between product engineering and corporate cybersecurity teams. One industrial company named a group-wide head of product security, ensured that each business had a head of product security, and created forums for the product and corporate cybersecurity teams to collaborate on assessing risks and prioritizing remediation actions.
Align Product Development Processes with IP Risks
Product development and R&D teams typically handle some of a company’s most sensitive intellectual property—information that could be devastatingly damaging if it fell into the wrong hands. However, imposing too many restrictions on the flow of information can slow innovations and add months to development efforts, which can also be damaging if a competitor is able to launch first. In some sectors, such as outsourced contract electronics manufacturing, we have seen companies adjust their business processes and risk appetite based on a better understanding of their exposure. A company with short product life cycles accepted the risk associated with a freer flow of information in order to maintain its rapid time to market, while another company, whose product life cycles were measured in years rather than months, decided to tighten its security controls to reduce the risk of sensitive plans leaking to competitors. The end results are different, but what the two have in common is a cross-functional approach to balancing the competing demands for speed, collaboration, and security.
Sales and Marketing
The relationship between cybersecurity and the sales and marketing function can be simpler for consumer industries than for B2B. Companies are reluctant to be too vocal about privacy and security issues in consumer-facing marketing campaigns, partly because it raises customers’ awareness of a risk that most companies would prefer they forget. Moreover, it can be a risk in itself to have too high a public profile on this topic because hackers may see it as throwing down the gauntlet and make an extra effort to break in. However, since customers are increasingly concerned, collaboration between cybersecurity and consumer marketing is essential. For example, we have seen mass affluent customers begin asking their wealth management providers about the security of their financial data, which means the CISO has to be able to give the financial advisers the right messages that explain and emphasize the precautions in place without making unrealistic promises.
By contrast, suppliers and customers in B2B markets are having increasingly frank discussions about data security as part of the sales and contracting processes. Customers want to know how their data will be protected, what risks they bear, and what guarantees their suppliers will provide. As a result, companies are starting to act both to protect themselves and to prevent cybersecurity issues from becoming a competitive disadvantage. Of course, this works both ways: business customers are focusing on security as a key buying factor when selecting suppliers, and suppliers are responding by increasing both their investments in security and their emphasis on what measures they can provide.
Support the Sales Force in Explaining Security Capabilities
Typically, only the CISO’s team can effectively explain the diligence with which a company will protect its customers’ data. The topic and language are too arcane for nonexperts to readily grasp, but this means companies must ensure that the cybersecurity team has the time to offer this support to the sales force. The team is also likely to need coaching in order to be effective in front of demanding customers—cybersecurity experts are not hired for their sales skills after all. We know of one health insurance CISO who spends a third of his time on just such sales activities, and naturally this has had a positive effect on the overall relationship between security and the business. The CISO was helping the sales force win business, not standing in the way. Companies must also ensure that the sales teams understand the importance of turning to the CISO’s team when they need to address customer demands and concerns.
Create Explicit Guidelines for What Guarantees Can Be Included in Contracts
As concerns about cybersecurity grow, business customers are making ever more forceful demands of their suppliers in terms of liability, inspection rights, or procedures for handling sensitive data. One insurer received a request from one of its largest customers to purge almost all of its data after underwriting. This was an impossible request to fulfill as regulators in some jurisdictions required the insurer to retain the data for many years. Suppliers need to understand therefore exactly what they are willing (and able) to promise in contracts before negotiations begin.
Many commercial contract negotiations get bogged down in discussions over unlimited liability. Customers want suppliers to accept unlimited financial responsibility for the economic implications of any breach it causes. Suppliers are naturally loath to agree. As the cybersecurity market matures, some suppliers are considering buying insurance to cover this risk—up to whatever amount the customer requires—and then explicitly incorporating the premium into the deal structure, passing the cost on to their customer (we discuss the nascent cyber-risk insurance market later in the book). This simplifies the responsibility for any breach, and clarifies the direct economic impact for both the supplier and customer.
Companies must invest in educating the sales teams, procurement groups, and legal staff on all these security and compliance requirements, and determine when they should reach out for more specialized support.
Operations
From order capture to customer servicing and billing, operational processes necessarily touch some of the most sensitive customer information a company has. In addition, as more network-connected devices make their way into the core service delivery process, they create the possibility for disruption and sabotage via cyber-attack. Digital resilience will require companies to design core business processes with cybersecurity considerations in mind and make sure mechanisms are in place to manage the risks of network-connected devices.
Redesign Core Processes to Minimize Business Risks
One of the most powerful business process changes for reducing cybersecurity risk is purging sensitive but nonessential information, and then segmenting interactions based on a thorough “need-to-know” analysis. A property and casualty insurer has adopted this mind-set and is splitting off those claims related to high-visibility litigation, so only the best-trained and most trusted claims agents will handle them. Although this means fewer agents are able to handle any claim that comes in, this reduced flexibility is balanced by the reduction in risk that comes from fewer people handling the most sensitive claims. In a similar vein, an aerospace manufacturer segments its design teams based on the sensitivity of the engineering work so that collaboration is uninhibited within the team, but any valuable intellectual property (IP) is prevented from spreading across the whole department. Some of the “flattening” that organizations have been pursuing for operational efficiencies may have inadvertently introduced greater exposure, in a similar way that creating single, flat network environments may increase risk compared to a network that is segmented based on the sensitivity of information.
In short, an organization needs to ensure that its IT systems provide users (internal or external) with only the minimum information necessary for them to perform their work. Any more access puts the organization and its information assets at unnecessary risk. For example, a vendor that provides a specific IT service should be able to accomplish its duties with virtual private network access to a segmented part of the network, or a virtual desktop interface, rather than being given the considerably riskier system-level administrative credentials and controls. The vendor management team will not typically manage the detail of vendor access controls directly, but they should actively be involved in this discussion with the IT security team.
Give Cybersecurity Team the Mandate to Set Network-Connected Device Policies
Many sectors are seeing a dramatic increase in operational devices that are connected to corporate networks but are managed outside the IT organization (e.g., medical instruments, production line control equipment, sensors). These devices are computers in all but name, but security has not always been a priority for their developers, as they are often devices that have evolved in technological sophistication over time and therefore are not viewed as computing devices. For example, x-ray and other imaging machines have moved from analog devices using physical film to digital devices based on image files. Nor do the people managing them in the business always have the necessary experience or expertise to secure them without more specialized support. As a result, companies have to rely on the cybersecurity team, which means the team needs both the insight to understand and the authority to assess these devices and put the required defense mechanisms in place. This can go beyond just setting requirements and includes incorporating security specialists into the design and engineering teams for products, just as they would be incorporated into a secure development process for new software.
Procurement
Products and services from third-party suppliers can contain a broad range of cybersecurity vulnerabilities: vendors could treat a customer’s sensitive information with less care than required by regulations, new connected devices can create pathways for attackers to infiltrate a corporate network, and so on. Leading companies adopt several tactics to improve the cybersecurity team’s relationship with operational and procurement functions in order to address these issues. Although, as we mentioned earlier, buyers increasingly include security as a buying consideration, it is still rare for companies to incorporate cyber-risk fully into the sourcing process. Achieving digital resilience means taking cybersecurity into consideration in vendor strategy, RFP construction, vendor/bid diligence, final negotiations, and ongoing performance management, including (where necessary) termination.
Apply a Risk-Based Approach to Vendor Assessments
Institutions still have tens of thousands of vendors (one hospital network we know has almost 30,000!). Without effective vendor governance, it is all but impossible to understand which vendors have what type of sensitive information. Risks to information assets should therefore join more traditional objectives, such as cost, quality, and operational control, as important drivers for vendor rationalization—it cannot be an afterthought.
However, even after introducing effective vendor management, large organizations will still have thousands of vendors: there are simply too many different types of specialized services, too many locations that require local providers, and too many different types of software for the number to be much lower. A thorough cybersecurity assessment of each vendor would grind contracting to a halt, so sophisticated companies are determining the depth of analysis needed based on the types of information transmitted, the size of the relationship, and the nature of the connection with the company’s technology environment. Just as companies need to prioritize controls and apply different levels of protection to different information assets, they also need to create appropriate vendor management processes that match the level of exposure. One way to create efficiency for smaller vendors with lower risk is for security and procurement teams to collaborate across companies to standardize assessment questionnaires so that vendors will not have to respond to a slightly different set of questions from each new customer. Major partners such as outsourced manufacturing or infrastructure providers can start from standardized reviews and audits, but the value of the relationship and the extent of exposure would require a more hands-on and customized approach.
The organization should outline which function is ultimately responsible for managing vendors (e.g., a central risk function vs. the contracting function), the amount of access and risk that is acceptable to expose through third-party vendors, and the governance processes in place to review and manage this vendor. Critically, these policies should also outline steps to terminate noncompliant vendor contracts; one CISO deplored his company’s vendor management function, complaining that he had never seen a vendor contract terminated despite poor information security risk management.
Keep Some Negotiation Power When Defining Vendor Security Requirements
There is an intrinsic tension between the security requirements a company imposes on vendors and the negotiating power it has over them. The more stringent the requirements, the fewer vendors will qualify and the less room to maneuver the company has. One manufacturing company had nine vendors respond to an RFP, only to see that set winnowed down to just two qualifying candidates based on compliance with security requirements. To avoid situations like this, procurement and security teams will have to assess RFP security requirements in the context of common market practice, aggregate business risks, and overall contract economics. Expecting vendors to comply with a customized set of standards will tend to narrow the participation pool, while grounding requirements in industry or international standards enables more vendors to participate without needing to meet bespoke requirements.
At the same time, vendor contracts, service-level agreements (SLAs), master service agreements, and any other documentation should be consistent with established vendor management policies. Ideally, these would lay out acceptable and required behavior for vendors’ management of information security risks, including regular security reviews and tests, employee background checks, data encryption and storage, and disclosure of breaches. SLAs should outline minimum performance levels for services that could be affected by security issues, for example, network availability for online Software as a Service applications.
Reduce the Number of Vendors
One large company, because of historic governance challenges, had nearly 2,000 IT vendors (of whom 700 had truly sensitive data) and about 25,000 vendors overall. Even the most disciplined organization cannot exercise oversight fully across that many vendors. Cost and service quality will typically be the primary driver for vendor consolidation, but the CISO must add his or her voice to the discussion, pointing out that a proliferation of vendors vastly complicates the task of tracking who touches what data and ensuring that vendors comply with company security policies.
Human Resources
Cybersecurity and HR managers need to collaborate to strike the right balance between protecting the employee and protecting the corporation’s information assets. In today’s increasingly digitized world, frontline employees handle sensitive IP and customer data that could hurt the company to the tune of hundreds of millions of dollars in terms of competitive position or legal liability.
Ensure Transparency for Employee Responsibilities
As more companies allow employees to bring their own devices to work, the line between corporate and personal technology can blur, and employee responsibilities about how they can use smartphones and even laptops can become ambiguous: What software may they install on their own device? Which devices can they connect to corporate networks? To make sure employees see security policies as fair, both cybersecurity and HR teams need to make sure that employees understand what is expected of them and the potential consequences for failing to meet those expectations. We address communication and other mechanisms to create and reinforce this culture in greater depth later in the chapter.
Align Insider Analytics with Corporate Culture
Increasingly, cybersecurity teams use sophisticated analytics to identify employees who may be exfiltrating sensitive information. These analytics can go far beyond IT-usage information. Precursors of insider risk such as financial difficulties, performance reviews, and plans to leave one’s job are often visible to the HR team but invisible to the cybersecurity team. Balancing employee privacy with protecting information assets will depend on corporate risk tolerance and culture and the regulatory environment of the relevant jurisdiction. Already, some defense contractors and hedge funds ask new employees to sign their life away in terms of the level of surveillance they agree to. In other sectors, this level of intrusiveness would be hard to imagine or even illegal. Regulatory requirements need serious consideration and appropriate legal review. The availability of extensive online employee surveillance is uncertain in some U.S. states and many parts of Europe. As a result, it will be up to senior management to determine how deeply these analytics should delve, and cybersecurity and HR will both need to help them strike the right balance, as informed by legal and compliance professionals.
Risk Management and Compliance
Cybersecurity naturally overlaps with risk management and compliance. Cyber-attacks are, after all, just another form of operational risk, and cybersecurity can be viewed as a risk management function, with the enterprise risk management team as the natural partner of the cybersecurity team. Moreover, in a growing number of sectors, regulators exercise some degree of oversight over cybersecurity decision making. This means cybersecurity teams must work with risk management and compliance managers to emphasize the risk management aspects of cybersecurity and make sure compliance does not dominate cybersecurity policies and investments. This may seem basic, but the fact is that few organizations treat cybersecurity as an operational risk domain and manage it accordingly.
The relationship between risk management and cybersecurity can vary by industry. In the financial sector or in industries that depend heavily on intellectual property (e.g., pharmaceuticals, defense), risk management programs are usually well established. These are generally effective at managing traditional market and liquidity risks but rarely systematically address information and cybersecurity risks; the solution is usually to apply classic risk management approaches to a new domain.
In the middle of the pack, critical infrastructure sectors and regulated industries such as energy and health care are beginning to improve their risk management capabilities beyond business continuity planning and disaster recovery. They very rarely cover cybersecurity risks, but the cybersecurity risk program can plug in to what is typically an increasingly mature enterprise risk function. Finally, less mature industries, such as retail, may not have a formalized risk management group at all. For these industries, the cybersecurity group may be the pioneering risk function and will need to drive the establishment of core risk processes and methods.
Collaborate with Compliance Functions to Understand Regulators’ True Bottom Line
In our interviews, we heard again and again that compliance is not security, that regulators tend to apply a checklist mentality, and that regulatory standards may be years out of date compared with the latest defense mechanisms. Managing the regulatory environment will always be challenging, but there are ways cybersecurity and compliance teams can cooperate to mitigate the impact. Given regulators’ affinity for process, providing them with transparency into mechanisms for assessing risks, prioritizing investments, and setting policies can increase their comfort level; avoiding margins placed on top of regulatory guidance may be even more important. One financial institution accepted significant inefficiencies in some of its core IT processes in order to comply with—its managers believed—regulatory mandates. The compliance team helped determine that in fact many of the most inefficient constraints stemmed from perceptions of what the regulators wanted, rather than actual regulatory guidance.
Integrate Cybersecurity into Enterprise-wide Risk Management Processes
After the challenges companies have faced since the economic crisis, boards and senior management teams focus on enterprise risks today in a way that would have been hard to imagine even 10 years ago. They depend on risk management functions to drive risk assessment, mitigation, and reporting across many different types of risks: liquidity, credit, regulatory, legal, and operational. But if cybersecurity is seen as the responsibility of IT and separate from other types of enterprise risk, then boards and senior management will not give it the required attention, support, and funding. Some of the companies that have most effectively engaged boards and senior management teams on cybersecurity have integrated the language and frameworks they use to assess, prioritize, and report on cybersecurity risks into the way they talk about their types of operational risk. For example, some banks view information security risk as a top-level risk event category, even though it is not one of the seven top-level categories defined by the international banking recommendations set out in the Basel II Capital Accord. For a life insurer, information security risk was moved from the purview of the board’s IT committee to the enterprise risk committee, where it shared the agenda with market and other business risks.
ENLIST FRONTLINE PERSONNEL TO PROTECT THE ASSETS THEY USE
A few years ago, a senior database administrator (DBA) at a financial institution received an e-mail about his upcoming college reunion. It addressed him by name, made reference to specific reunion events, and included a link to a site with more information.
Naturally, given his warm feelings for his alma mater, the DBA clicked on the link. Unfortunately, the e-mail was a spear-phishing attack.2 By studying the DBA’s posts on social media, cyber-criminals had been able to craft a credible message that sounded like it came from his former classmates.
When he clicked on the link, it took him to a site that installed malware on his computer. The malware was a keystroke logger that captured his passwords for several databases that contained sensitive customer information. The company avoided the acute embarrassment of having customer data disclosed only by agreeing to pay a substantial ransom to the cyber-criminals.
At a financial institution, an account manager made a simple mistake. She was sending a customer a summary of his account over the past year, but in her haste to reply she attached the wrong file, which had personal information for tens of thousands of customers. Fortunately for her, the customer alerted her to the mistake, and the ramifications were limited to a few awkward phone calls.
Such unintentional behavior that puts companies at risk is common to the point of pervasiveness. Who hasn’t attached the wrong file to an e-mail, or sent the right file to the wrong recipient? Third-party researchers can unthinkingly put sensitive IP on untrusted, external cloud storage services. Call center agents might jot their multiple passwords down on notes stuck on the side of their monitor. IT managers might let access rights to important computer systems grow obsolete. The list of unintended security breaches employees can trigger is endless.
As a result, companies that need to protect their information assets in ever more challenging environments have two choices. They can place more and more stringent controls on the technologies that employees need to do their job—reducing productivity and sometimes encouraging extravagantly insecure workarounds—and keep turning up the volume on security communications and trainings. Or they can move beyond security awareness and rules-upon-rules to put in place programs that will change frontline behavior. In the quest for digital resilience, organizations need to bring employees on board with cybersecurity’s requirements and make them allies rather than vulnerabilities.
Many CIOs, CISOs, and chief technology officers are skeptical of the potential value of trying to change people’s behavior. We asked them what the impact would be of helping frontline personnel understand the value of information assets. Less than half believed it would have a significant impact or be a game changer. In fact, technology executives rated this the least important of the seven levers we asked them about. However, their skepticism did not come from a belief that user behavior was unimportant but from a concern that it could not be changed: they took it as a constraint and not an opportunity.
Again and again, we heard technology executives talk about how hard it was to change frontline behavior. As one CISO said, “Cybersecurity awareness training doesn’t work. You’ve got sexual harassment training, regulatory compliance training, and a host of other things. We’re just one more thing that people don’t really pay attention to.”
Fortunately, there are a few institutions that have made more progress in this area than others by doing four things differently. They segment users according to the type of information they use; they draw on existing safety and quality efforts; they use design thinking to create tools and services that make it easy for users to do the right thing; and they bring all this together by applying a broad set of mutually reinforcing actions.
Segment Users Based on the Information They Need
Different types of users see vastly different types of information with varying levels of sensitivity. Manufacturing R&D teams handle incredibly sensitive proprietary IP but never touch customer data. Insurance call center agents may see health or financial information for high-profile customers but see little other data of interest to outsiders. Senior managers in all sectors have access to the company’s most critical business strategies, and sometimes it seems that administrative assistants have access to everything.
Different groups also have different attitudes toward handling sensitive information and toward risk in general. Attorneys in the general counsel’s office will (or at least should) have an inclination toward protecting confidential information that dates back to their time at law school. Traders, however, may be so focused on keeping up with the market that they never think about protecting valuable information. Researchers, especially those from an academic background, may believe that “information wants to be free,” which can terrify their bosses when multimillion-dollar IP is at stake.
Given such disparities in the types of information different users see and in their attitude to protecting that information, it should be clear that generic approaches that treat all users in the same way will have only minimal impact on digital resilience. They struggle to cut through the noise and to avoid becoming one more thing the head office has to ask everyone to worry about on top of their “real” jobs. Standard approaches are not effective in motivating people to take action.
Companies that have made progress in this area start by understanding how users in different groups and locations think about protecting information. For example, bosses at one bank learned that employees in the capital markets business were often unaware of cybersecurity risks at all, while managers in the bank’s retail business felt that they had the issue well in hand. Knowing each group’s concerns, inclinations, and blind spots enabled the bank to craft a far more challenging and ultimately effective set of messages. The group that lacked basic awareness received communications that focused on explaining that cybersecurity was a material risk, shared examples of damages other companies had suffered, and introduced initial measures they could take to address the risk. The communications to the more advanced group touched on the business case only briefly, and instead focused on next-level mitigation measures and how to interpret information security reporting. Each group got the training and support appropriate to their place along the journey to maturity.
Leading companies also draw a direct line between those assets that they have identified as critical in the prioritization process and the users that have access to them. Again, this allows for a far more targeted and effective set of interventions. If managers and employees understand what information is particularly sensitive and needs to be kept within a smaller group of people, then they can manage it so that access rights are a backup technology control measure and not the first line of defense against excessive distribution.
An oil exploration company identified its negotiation strategy for extraction rights as its most sensitive information asset. Executives joked that a note instructing an executive to “Bid $1.5 billion for a property, but don’t go above $2.5 billion,” could be a “billion dollar e-mail” if it wound up in the wrong hands. After some investigation, the company determined that only 500 people out of tens of thousands of employees had any reason to access this information (of whom, interestingly, nearly half were assistants and other support personnel). Based on this insight, it developed a “top 500” program focused on helping this tiny fraction of their employees understand how to better protect information about negotiations. This better-trained group was then given greater access rights to sensitive information within corporate applications and collaboration platforms. Given that this assessment provided only a snapshot, the company also created a regular process to review membership in the group and a mechanism to move people in or out based on their changing need to know.
Draw on Existing Safety and Quality Efforts
Organizational change is undoubtedly hard, yet many companies have proven that it can be done in a systematic and sustained way. We have seen some companies, particularly in natural resources, manufacturing, and life sciences industries, make dramatic improvements in safety and quality.3 Not only are cybersecurity teams learning from their peers in manufacturing safety, they are also building on quality and safety programs themselves to create change. This has multiple benefits. It emphasizes to employees that cybersecurity is a core business practice rather than a separate “IT issue.” The approach underscores the importance of changing behavior, given the level of senior management backing provided to quality and safety programs. It is also more efficient, using organizational infrastructure such as reporting, governance, and incentive systems that already exist.
At many natural resources, petroleum, and process manufacturing companies, every meeting starts with a “safety share” in which participants offer a suggestion on how to avoid accidents. At one petroleum company, managers at headquarters increasingly include a cybersecurity-related safety share, because they believe that just as it is important to protect people and physical assets, it is also important to protect information assets. This process draws a connection to something that is already a core value and part of the culture, rather than setting up information security as a new or separate issue. Each time someone talks about how they found a sensitive document lying on a conference table and disposed of it appropriately and followed up with the document owner, it reinforces behavior just as it would if they shared a story about cleaning up spilled liquid that could have led to someone falling down the stairs, or about ending a conference call when a participant mentions they are driving a car.
Employ “Design Thinking” to Make It Easy to Do the Right Thing
Employees at many, probably most, companies will tell you that information security is a pain in the neck. It forces them and often their customers to remember complicated passwords. It prevents them from using many of the online tools that they use on their personal devices. It even causes laptops to take forever to boot up, forcing them to arrive for work five minutes earlier. No wonder so many technology executives told us that cybersecurity had a material, negative impact on frontline productivity at their companies.
Some of this inconvenience is unavoidable. Not every device, service, or application is secure enough for enterprise environments; and there is simply no way to protect sensitive information without robust authentication—the company can’t protect your data unless it knows that it’s you trying to access it.
Much of the inconvenience, however, stems from poor design. While Apple, Google, Amazon, and others make a virtue of creating delightful user experiences for their external customers, many other companies have deprioritized the user experience for both staff and customers alike. This is true of security measures perhaps more than anything else. One company started requiring employees to use more complex passwords, but didn’t explain specifically what types of passwords would pass muster (What length? Mixed case? Special characters?), leaving users to sort it out by tiresome trial and error. Naturally, this increases the chance that employees view security as an obstacle to getting things done rather than as an ally in protecting the business, and in turn it reduces the chance that employees view themselves as allies.
A bank started requiring customers to answer one of a set of “challenge questions” before accessing its online payment service. A customer would typically know that her first car had been a Camaro, but would she remember whether she had entered “Chevrolet Camaro,” “Chevy Camaro,” “Camaro,” or some other variant of the car’s name years before when she set up the account? Needless to say, this change resulted in a flood of angry calls into the customer service center. Although employees access systems on a much more regular basis and build “muscle memory” around the challenge questions, the lesson still applies: the way real users interact with the system has to be taken into account.
Design thinking requires technologists (and others) to reframe their work in order to give the end user a positive experience, even if delighting them remains a tall order when it comes to multifactor authentication protocols. Tim Brown, CEO of design firm IDEO, said that design thinking means “innovation is powered by a thorough understanding, through direct observation, of what people want and need in their lives and what they like or dislike about the way particular products are made, packaged, marketed, sold, and supported.”4
Cybersecurity tools must, first and foremost, ensure that the company’s assets are protected. However, it is possible to achieve this while also creating a positive user experience—assuming there are direct trade-offs between the two ideas leads to missed opportunities for improving both security and the experience simultaneously. One nonprofit organization found that employees were using a wide variety of public file-sharing services to store sensitive deal-related documents even though these services’ security capabilities had never been validated. To counteract this, the organization introduced its own secure application. Employees felt that IT was responding to their needs to collaborate, while the organization was able to increase compliance rates substantially.
A narrow focus on compliance can, of course, mean the organization is blinkered to some of the real risks. A bank was in full compliance with device security standards and passed every audit, yet all these controls were slowing boot-up time so much that staff were using unsecured personal laptops and relying on web-based e-mail when traveling. These real risks were not being captured on any security audit but still needed addressing. The bank therefore launched a concerted effort to reduce laptop boot time when it upgraded staff laptop operating systems, and startup time is now tracked as a top-level performance metric for cybersecurity. The onus was on the IT department to make compliance as easy as possible, even if the compliance standard is slightly lower.
Apply a Broad Set of Mutually Reinforcing Actions
Experience, backed up by our interviews, suggests that getting people to change their behavior to make a company more secure is hard. Indeed, McKinsey research shows that organizational change is difficult in almost any context and that even when there is a burst of attention given to a topic, it is easy for an organization to slip back into old habits over time.5
We often see institutions opt for a cybersecurity awareness program when what they need is a full-blown change management program. They put up posters urging employees to “think before you click” and conduct simulated phishing campaigns to determine which employees will follow a link included in a clearly fraudulent e-mail. This is not enough given the dramatic impact that user behavior has on overall security. Awareness programs are, at best, only one element in changing user behavior. Communication is just one element of creating a shift in mind-sets and behaviors.
Instead, companies need to sustain change, which requires four mutually reinforcing conditions to be in place (Figure 4.1).
FIGURE 4.1 Hardwire the Mind-Set and Behavior Changes into the Organization
People Need Both Understanding and Conviction
People need to know what is expected of them and, crucially, agree that it is meaningful and worthwhile. This means engaging them on why cybersecurity matters and on the critical role each of them plays in protecting the organization’s assets. This is often where organizations are relatively strong—the other three mechanisms typically need the most improvement
People Need the Skills to Enable Them to Behave in the New Way
For example, businesses need to integrate material on how to handle documents securely into broader training sessions and employee induction days. Part of this can be basic technology controls—if encryption is required for certain kinds of information, then that software needs to be provided (or, better, automated). The other pillar is moving beyond “what and why” types of communication into “how” conversations that use concrete examples to help employees understand and incorporate new behaviors. For example, an aerospace manufacturer added a security management module so that an engineer joining a team working with an external manufacturing partner would learn the security protocols at the same time she learned about collaboration methods, team schedules, and so forth: security was part of the core training, not a secondary measure.
Senior Leaders Need to Role-Model the New Behaviors
Role-modeling is essential to reinforce any requirements or behaviors and to embed the idea that this matters and is taken seriously by the leadership. If someone sees their boss (and their boss’s boss) treating customer information with respect, not talking about sensitive data in public, and voicing disapproval when security protocols are not followed, then they know to take the rules seriously. On the flip side, if their boss mocks the rules or shows active resentment and a “game the system” mentality, then the official and implicit messages come into conflict and many employees will align with their supervisor’s viewpoint.
Leaders Need to Reinforce the New Behaviors through More Formal Mechanisms Such as Incentives
There are usually clear penalties for egregious misuse of corporate technology resources, but incentives that reward good cybersecurity behavior are scarce. Many companies test to see how many employees respond to a phishing attack. Very few, however, track phishing hit rates over time and build them into senior management scorecards and incentives. At the most basic level, security performance can be incorporated into performance indicators and dialogues. For greater effect, security behaviors can be included as part of compensation and performance reviews, together with other types of risk. People tend to prioritize what is measured and what is rewarded (and punished), so if cybersecurity is not included, then that sends an implicit message about the priority of security needs.
● ● ●
Policies and processes in every part of the business—product development, marketing, sales, operations, procurement, HR, risk, and compliance—affect a company’s ability to protect its information assets. Decisions and actions on the part of frontline users in every part of the business matter just as much.
Making the right changes to policies, processes, and user behavior requires a high degree of collaboration between the cybersecurity team and the rest of the business. Too passive a posture on the part of the cybersecurity team would mean forgoing important levers in protecting information assets, but a series of mandates formulated without business input could have a dramatically negative impact on productivity.
Naturally, cybersecurity teams will have to develop a nuanced understanding of business practices and processes to develop realistic options for changes that will protect information assets. However, they cannot do this alone. They require active support from a range of senior managers: business unit executives have to help synchronize customer offerings, product designs, and end-to-end processes with security requirements; procurement managers have to help strike the right balance between vendor security requirements and contract economics; compliance managers have to help align regulatory mandates with the company’s risk reduction priorities; and managers in every function need to communicate and reinforce the expectation that frontline users will understand the value of and protect the information assets they use every day.