A company usually takes its cues from leaders at the top: What the top executives emphasize will become the organization's imperatives, and what they ignore will typically fall by the wayside.
It is the same with IT security. If corporate leadership is not embracing and underscoring the need to follow the rules of good cybersecurity – or almost as bad, if they promote them for everyone else but don't follow those guidelines themselves – the results can be devastating.
“Leading by example comes from the very top,” says Darren Argyle, CISO and managing director for Markit, a financial services and information company based in London. Hence, Argyle says that at the very start of Markit's security awareness campaign, his team recorded a video of the CEO informing all employees that he takes security seriously and that it is everyone's responsibility.
“From what I have seen, this problem is pretty much universal,” says Perry Carpenter, research director covering security and risk management technologies and strategies for Gartner. There are some companies where leaders are trying to set the tone, he explains. “But in the vast majority of organizations, where top executives are trying to get the job done, sometimes the rules become secondary because of their position.”
However, despite their assurances that cybersecurity is a shared responsibility, C-suite executives are often so busy, or traveling or working remotely so often, that they may take shortcuts – like accessing corporate files or systems from a personal laptop or device, downloading sensitive documents, or in some way making an end-run around security protocols in service to convenience. And that can cause big problems.
“I believe this problem is significant,” says Stephen Gates, chief research analyst and principal engineer at NSFOCUS International Business Division, which handles network security and advanced analytics. “When executives and employees don't adhere to rules and procedures, they make themselves and the organization vulnerable to outside and inside security threats… creating a much larger issue for security teams.”
David Shearer, CEO of ISC², a nonprofit information and software security association, says he has seen this as a growing problem in the past. Although, increasingly government agencies and companies are beginning to add performance elements related to IT security to senior executives' contracts, to tie their compensation in with meeting security goals – just like sales goals – and to make them more cognizant of the importance of security to the organization, its brand and its reputation, he says.
“What gets measured gets done,” Shearer points out. “Everybody wants convenience and that has been our biggest obstacle in cybersecurity.”
Darren Argyle, CISO and managing director, Markit
Perry Carpenter, research director, Gartner
Steve Conrad, managing director, MediaPro
Steve Durbin, managing director, Information Security Forum
Stephen Gates, chief research analyst and principal engineer, NSFOCUS International Business Division
Greg Schaffer, CEO, First72Cyber
David Shearer, CEO, ISC²
Indeed, Shearer says that IT security measures are often seen as obstacles by users, and often that includes the top executives “who will ask for a pass” because they are busy or traveling or just pressed for time.
Other security industry insiders agree with Shearer that, while the problem exists, more organizations are taking steps to try to make their leadership aware of the need for IT security compliance – from the top down.
“We're becoming better at it, but there's always a danger,” says Steve Durbin, managing director for the Information Security Forum, a global organization dedicated to investigating, clarifying and resolving key issues in information security. “Very few [executives] are deliberately ignoring policies, but they may be unaware or see no harm in what they're doing.”
Greg Schaffer, CEO and founder of First72Cyber, a risk management and analytics company, admits that while it has been fairly commonplace for the C-suite to have a different set of rules placed on them, the recent publication and regular attention on breaches have contributed to a better understanding of this problem.
“It's not lost on them that this is a major issue,” says Schaffer, also a former official at the Department of Homeland Security. Based on his experience in both government and the private sector, Schaffer believes top executives over-stepping their IT security boundaries is typically more of an issue in private sector companies, since the government is stricter and more unbending in its IT security rules and protocols.
Still, that is no assurance that even the most highly placed official will not run afoul of the rules. Case in point: The email scandal that has embroiled current presidential candidate Hillary Clinton, which reportedly stemmed from the then-secretary of state insisting on using her personal mobile device and computer for her government emails.
“We work with some very large enterprises and it's rare that there hasn't been exposure by the top executives,” says Steve Conrad, managing director at MediaPro, which handles enterprise training for IT security. “The risks are changing all the time. And the threat actors out there are consciously targeting the CEO. They're figuring out how to get their attention and hitting executives on purpose.”
One prominent example: A current scam gaining popularity is one where a fraudster posing as the company's chief executive sends an email to a company's chief financial officer, or another executive with payment authority, demanding that they send out a wire transfer immediately. If executed well, with ill-gotten information from a comprised CEO's account, the CFO usually complies and the enterprise is out the money from the transfer, and potentially has shared delicate financial information with crooks to boot.
Getting the job done
Whether it is the company's chief executive, a top salesperson or the leader of a government agency, these leaders are rarely intentionally flouting IT security rules as a power trip. Top executives may rally for elevated access or permissions to the corporate system – which flies in the face of giving every person the minimum access necessary to do their jobs – simply because it will make getting to information easier, Shearer says. The rationale is typically, “I'm ultimately responsible for this organization, so why shouldn't I have carte blanche?,” he says. Of course, the fact that this happens, in turn, makes top executives bigger targets than the average employee, because they may have access to the more valuable information and intellectual property – or because compromising a prominent executive or figure in an organization could cause embarrassment for the entire organization.
“The potential risks are quite large since, by nature, top execs are permitted access to very sensitive information that may not be accessible to other employees,” Gates says. “If executives' devices are compromised from the outside, attackers will have the same permissions to the same sensitive data.”
In fact, the loss of customer trust and confidence is now considered the most harmful consequence of a distributed denial-of-services (DDoS) attack, according to a recent survey of IT professionals by Corero Network Security. In its second annual DDoS Impact Survey, 45 percent of the IT professionals polled agreed that it was that lost customer trust that has the biggest bearing on an organization, with lost revenue cited by 32 percent of respondents as the next most impactful repercussion. Almost one-third of respondents (32 percent) said DDoS attacks on their network happened weekly or even daily.
Schaffer points out that the executive floor of an organization may have its own IT staff and support, and the executives or their staff may see rules (even IT security rules) as more situational, rather than blanket protocols. “Sometimes the support organization is more of a problem than the executives,” Schaffer says, adding that they may be giving access or abilities to the executives that are unwanted.
Carpenter concurs, saying the thinking for many on-the-go executives is, “I am a busy person trying to accomplish things and taking whatever course I can to just get things done.”
Often, corporate leaders are simply using their personal computing devices or not being as diligent about password security as they should because the inconvenience is seen as “standing in the way of getting their jobs done,” says Gates. “Rigid policies and inflexible technologies are likely to be bypassed. Knowing this ahead of time will help IT policy-makers build better programs and invest in more flexible, secure technologies and approaches.”
While the obvious response might be to simply bring top executives in line with the rest of the organization, Shearer (left) and other experts point out that just like other issues the company faces, the board and its leaders need to think in terms of their risk appetite. In other words, if a top executive knows the risk they are taking by using their own computing devices, or accessing files on non-corporate or public networks, and the board or management is aware, it is more a matter of whether the organization is willing to take that risk to provide convenience. “A lot depends on the disposition of the board the executives work for, the appetite the board has, or does not have, for risk and the potential for risk,” Shearer says.
Couching the issue in terms of risk makes this conversation more accessible for boards and executives, says Conrad, “because risk is a thing that executives deal with every day. They are more comfortable than the general population [of the organization] with taking risks.”
Argyle believes a good plan for managing such concerns and potential risks is to first “acknowledge that cyber attacks are inevitable.” He adds that preparation for such events is really the best way to manage the fallout, no matter what the executives are permitted to do.
“The attention of the board and executives will quickly turn to being ready to react when the time comes,” Argyle says. “Boardroom tabletop and cyber attack simulations exercise give some perspective and appreciation of the potential impact.”
As the most targeted employees in the company, he says that the top executives require special attention when it comes to security. Agree with them about what the crown jewels are and give them a clear understanding of the risk, Argyle says. “Then provide the appropriate security tools and deliver regular tailored education.”
In Argyle's experience, the only way to ensure senior executives follow good practices and company policy is to have them directly involved in the cultural change of the organization.
He underscores the importance for an organization to assess and understand its digital footprint and develop a “risk score.” Then, he says, the CISO and their team should follow up with regular ongoing monitoring to show trending in the risk profile and take course correction where it is needed. “Follow on awareness and education should not stop with employees,” Argyle says, And this focus, he explains, needs to be tailored to those at most risk: the board and the executive teams.
Durbin agrees that more than setting rigid control, it is about having a conversation and needing to understand what assets top execs absolutely need to be accessing. “As managing director, do I need access to everything?,” he asks. “No, I don't need to get to the human resources system or financial systems on the road.”
Given their level of responsibility, he says top executives should be given a little more leeway and hand-holding in determining the level of access they need and what IT security controls or procedures could be adapted to make their jobs easier, but also keep data secure.
And, he adds, it is often about the IT security team, and the CISO in particular, explaining in language the C-suite can understand what is being done and why. That means zeroing in on brand value, stock price, customer loyalty and reputation. In some cases, IT security might require manual intervention or other exceptions for a traveling executive.
“It is important to become more collaborative in this space, rather than confrontational,” Durbin says, “especially since I don't see this problem disappearing any time soon.”
Board speak: Five principles
The National Association of Corporate Directors, in conjunction with the American International Group and the Internet Security Alliance, published a report outlining the five principles that corporate boards should consider “as they seek to enhance their oversight of cyber risks.” The five principles are:
- Directors need to approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risks as they relate to their company's specific circumstances.
- Boards should have access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the agenda.
- Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget.
- Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.