Convincing Boards to focus on Cyber Security if no easy task, when those working in the business have priorities, responsibilities and rewards specifically structured to make Cyber Security a lower priority. Convincing Boards starts from the "middle" and must work both "down" and "up", and it will not be an easy or fast process.
I recently spoke to the CRSA (Control Risk Self Assessment) Forum in London, hosted at the IRM's offices (with thanks to Carolyn Williams), and very ably organised by Paul Moxey. My desire was to highlight the challenges that management (operational to the C-suite) face, and the decisions that must be taken, many of which lead to a de-prioritisation, or even ignoring, of Information Security.
This is not to suggest that Information Security should be de-prioritised, far from it. But the purpose was to highlight the difficulties that the Risk Professional will have in gaining the internal support to both raise and then to gain resources required for effective InfoSec.
To encourage the participants to consider (and actually, engineer scenarios in which InfoSec would lose out to other priorities) I provided two "role-plays". A very quick caveat; neither case represented a real company or actual situation, but was built from a wide range of situations I have been party to or have been the Internal Auditor or Risk Manager associated with elements of the case.
Role-Play 1: "Complex project choices"
The first looked at project level issues and delivery concerns leading to a situation in which InfoSec, while critical, was actually "pushed into the long grass" by each group that considered the case.
You can "enjoy" the role-play case study here.
The constructed problem centres around the competing constraints facing any business when it comes to systems implementation. The various strains on all members of a project team, including the leadership, sponsor, and steering committee, require to balancing of resources and priorities. Sometimes individual incentives outweigh the needs of the business. While this is not acceptable, it is a reflection of the reality of motivating people, and in some cases, focusing those people on outcomes that they are responsible to deliver.
When participants received the "role-play", there were more than a few people saying "I've worked on this project".
The premise was fairly simple; the project is in its final stages but has run over budget (Quelle surprise) and over time: and the user community's level of frustration is rising to breaking point. The infrastructure model is not adequately integrated into the corporations secure environment, and the additional time and cost will push the project further over budget and time.
The groups were then asked, each playing a specific role, to provide a recommendation, as a group.
As expected (and constructed), not one of the groups said that project implementation should be delayed until security concerns were addressed. In one group, the person playing the role of the IT Infrastructure representative threatened to "call Internal Audit" to which there was a response, "So you plan to stab your colleagues in the back?"
Others proposed setting up a working group to assess and recommend addressing the security and infrastructure issues after the project, while acknowledging that this would become, in effect, a new project fight for resources against all other projects. But it wouldn't impact their ability to deliver what they were required to deliver.
The final takeaway for participants was that it will be difficult to gain the internal allies required to address security if their support will be counter to their own needs, responsibilities and rewards.
Role-Play 2: "The C-Suite and External Expectations"
Likewise, at the C-Suite level, internal and external expectations can be such that investment in Cyber Security becomes a secondary consideration behind meeting the short-term demands of shareholders, markets or owners. This Role-Play set out to demonstrate the push and pull of competing requirements, again against a backdrop of systems implementation coupled with quarterly reporting needs, in challenging market conditions.
Take a look at the Role-Play here.
The four participants (the COO, CFO, CIO and Director of Communications) each have competing priorities, yet all are also keenly interested in ensuring company success.
Read the Role-Play and decide for yourself how these individuals should respond, and challenge yourself to find a way for them to agree to invest in greater Cyber Security, or to make a recommendation to the Board to do so.
Once again, while all but one of the groups could bring themselves to abandon their roles' self-interest, they did all recommend that the CIO push Cyber Security to the top of his or her agenda for the coming quarter. The outlier group suggested that the business "take the hit" this quarter and focus on Cyber Security, while also communicating the markets that they were doing so to improve the company's ability to protect and server customers in the future (though they did not agree fully on how to avoid the potential ramifications of announcing that they would focus on Cyber Security and the potentially associated assumption that their systems were not secure).
Summing up:
In both, or either case, do you recognise your company, or a company you have worked with in the past?
If so, be assured that it is possible to convince Boards, but only once the required groundwork has been completed. In the two Role-Plays above, it is too early, and there are too many competing priorities. But there is hope in each, in that the need is recognised, and there are ways out.
Gaining Board agreement on Cyber Security requires time and planning, with careful messaging along the way. In addition, before the Board can "buy-in" to investment in Cyber Security, key stakeholders within the business must also "buy-in", as it will be their alternative expenditure and investment plans and programmes that may suffer or be put on hold to accomplish improved security.
I recently spoke to the CRSA (Control Risk Self Assessment) Forum in London, hosted at the IRM's offices (with thanks to Carolyn Williams), and very ably organised by Paul Moxey. My desire was to highlight the challenges that management (operational to the C-suite) face, and the decisions that must be taken, many of which lead to a de-prioritisation, or even ignoring, of Information Security.
This is not to suggest that Information Security should be de-prioritised, far from it. But the purpose was to highlight the difficulties that the Risk Professional will have in gaining the internal support to both raise and then to gain resources required for effective InfoSec.
To encourage the participants to consider (and actually, engineer scenarios in which InfoSec would lose out to other priorities) I provided two "role-plays". A very quick caveat; neither case represented a real company or actual situation, but was built from a wide range of situations I have been party to or have been the Internal Auditor or Risk Manager associated with elements of the case.
Role-Play 1: "Complex project choices"
The first looked at project level issues and delivery concerns leading to a situation in which InfoSec, while critical, was actually "pushed into the long grass" by each group that considered the case.
You can "enjoy" the role-play case study here.
The constructed problem centres around the competing constraints facing any business when it comes to systems implementation. The various strains on all members of a project team, including the leadership, sponsor, and steering committee, require to balancing of resources and priorities. Sometimes individual incentives outweigh the needs of the business. While this is not acceptable, it is a reflection of the reality of motivating people, and in some cases, focusing those people on outcomes that they are responsible to deliver.
When participants received the "role-play", there were more than a few people saying "I've worked on this project".
The premise was fairly simple; the project is in its final stages but has run over budget (Quelle surprise) and over time: and the user community's level of frustration is rising to breaking point. The infrastructure model is not adequately integrated into the corporations secure environment, and the additional time and cost will push the project further over budget and time.
The groups were then asked, each playing a specific role, to provide a recommendation, as a group.
As expected (and constructed), not one of the groups said that project implementation should be delayed until security concerns were addressed. In one group, the person playing the role of the IT Infrastructure representative threatened to "call Internal Audit" to which there was a response, "So you plan to stab your colleagues in the back?"
Others proposed setting up a working group to assess and recommend addressing the security and infrastructure issues after the project, while acknowledging that this would become, in effect, a new project fight for resources against all other projects. But it wouldn't impact their ability to deliver what they were required to deliver.
The final takeaway for participants was that it will be difficult to gain the internal allies required to address security if their support will be counter to their own needs, responsibilities and rewards.
Role-Play 2: "The C-Suite and External Expectations"
Likewise, at the C-Suite level, internal and external expectations can be such that investment in Cyber Security becomes a secondary consideration behind meeting the short-term demands of shareholders, markets or owners. This Role-Play set out to demonstrate the push and pull of competing requirements, again against a backdrop of systems implementation coupled with quarterly reporting needs, in challenging market conditions.
Take a look at the Role-Play here.
The four participants (the COO, CFO, CIO and Director of Communications) each have competing priorities, yet all are also keenly interested in ensuring company success.
Read the Role-Play and decide for yourself how these individuals should respond, and challenge yourself to find a way for them to agree to invest in greater Cyber Security, or to make a recommendation to the Board to do so.
Once again, while all but one of the groups could bring themselves to abandon their roles' self-interest, they did all recommend that the CIO push Cyber Security to the top of his or her agenda for the coming quarter. The outlier group suggested that the business "take the hit" this quarter and focus on Cyber Security, while also communicating the markets that they were doing so to improve the company's ability to protect and server customers in the future (though they did not agree fully on how to avoid the potential ramifications of announcing that they would focus on Cyber Security and the potentially associated assumption that their systems were not secure).
Summing up:
In both, or either case, do you recognise your company, or a company you have worked with in the past?
If so, be assured that it is possible to convince Boards, but only once the required groundwork has been completed. In the two Role-Plays above, it is too early, and there are too many competing priorities. But there is hope in each, in that the need is recognised, and there are ways out.
Gaining Board agreement on Cyber Security requires time and planning, with careful messaging along the way. In addition, before the Board can "buy-in" to investment in Cyber Security, key stakeholders within the business must also "buy-in", as it will be their alternative expenditure and investment plans and programmes that may suffer or be put on hold to accomplish improved security.