Analysis: Executives don’t appreciate how hackers threaten their assets.
"As soon as the top management buys in we have a budget," said Marco Gercke, director of the Cybercrime Research Institute. The cyber security advisor noted that his field used to be "a topic for the system admin". Most agree is that attitude will not serve firms any more.
According to the lawyer, many top managers are not aware of how poor cyber security can damage a business. As he said, some people’s opinions can only change when they themselves have been attacked, and like many in his industry he knows the difficulty of persuading the executive level to use tech more safely. So what can be done?
Schooling the boss
CBR asked a number of security providers what they felt their role was in educating top level management. Many noted that while they could provide tools and intelligence to their customers, it was the responsibility of firms to identify which of their assets had greatest priority.
Much of what matters is about context, particularly time. Details of Apple’s iPhone 6 and iWatch will be at their most valuable just before they are announced to the world. By comparison the source code of their latest piece of software will retain value until it is replaced by the next iteration of the product.
Few will be better placed than the board to appreciate what matters to the company, even if it is ultimately cybersecurity’s job to secure it. The problem, as Gercke says, is that management can often be complacent about how much damage can be done to the company with even the mildest of hacks.
Met with the suggestion that Twitter access should be more tightly controlled, he reported that one client had scoffed before asking what risk the social media account could pose to his firm. Yet when the newswire Associated Press was defaced by the Syrian Electronic Army, a group of hacktivists, the message that US president Barack Obama had been injured in a bomb caused tremors in the financial markets.
Bringing war games to the boardroom
So how should the cybersecurity sector convince the management of its worth?
"We need to bring the management into a situation where they are confronted with cyber attacks," Gercke told an audience at the Gartner security summit in London this week. His approach reflects the war game mentality that most militaries employ, in which simulations are made as convincing as possible so people are best prepared for the real thing.
"If you had them in a boardroom and there’s lot of light and devices are everywhere it doesn’t work," Gercke said. Sometimes executives need to be isolated them from their risk advisors, or subjected to mock interviews with regulators where information may be limited. His suggestions are almost like the executive equivalent of penetration testing, and he believes they can work.
Also at the conference Gareth O’Sullivan, EMEA director of solutions architecture at WhiteHat Security, told CBR that the industry changes so fast it can be hard to keep anyone up to speed. Even if nobody expects executives to understand the minutiae of cybersecurity, a cursory knowledge needs to be present at every board meeting on securing company assets.
"At a high level the knowledge will come from management, but a low level IT may better understand emerging threats and how they may expose the business in areas not considered before," said Bob Tarzey, an analyst at research firm Quocirca. "In other words, good cyber security will involve informed co-operation from both areas of the business."