You have read the newspapers and understood why WannaCry became a problem so quickly. You have understood that cybersecurity threats are so important to take seriously. You do not want your company’s data to be hacked by some 17 years old in their bedroom – incidentally a good description of many hackers. In summary you want to take your CIO responsibilities very seriously and have put together a cybersecurity policy to be followed by your organisation. However there are many reasons why your good intentions are doomed for failure. Let us explore the six reasons that your cybersecurity policy may fail.
First of all and most importantly your need buy in, not only from board level but also right down to the admin and security staff. Start at the top and get your budget and resources agreed, and be aware that instilling a cyber security policy within a company takes time, effort and money. Once you have worked your way through the myriad of procedures and paperwork necessary to achieve board sign off, you now need to define how you are going to bring the new cybersecurity policy to the attention of your company’s staff members.
Start with your own staff as they will not only be undertaking the cybersecurity work but will also be your evangelists and will provide the answers to staff member questions. Once you have your own staff signed on, involved and well versed then it is time to roll out your new cybersecurity policy. The best way to do this is by using a three-pronged attack: Email notifications with full details, full details and FAQs in your staff data source and lastly training, introducing and detailing the new policies.
Here you may have problems with staff members being released for or attending the training so you need to emphasise the importance of cybersecurity to your senior managers. This is where board level buy-in is so important. Cybersecurity is business as usual and staff should include it as part of their responsibilities.
The next reason for failure you may come across is not having detailed knowledge of your current ICT environment. Most ICOs have two problems here: an evolved network that has grown over time and people plugging in peripherals such as phones, laptops and tablets. These problems are compounded if you have multi sites to monitor. Understanding what a company has within a complex environment that has many different versions of software, many different APIs and even more different nodes can be almost impossible. First port of call is a major network audit and then monitoring software to keep the information up to date in real time.
This is when the people part of your cybersecurity policy becomes problematic. People as a whole really hate to change, they have their own little niches, managers have their own empires and all staff are used to working in a certain way. Making changes, however needed, worthy and supported by senior managers is always difficult. The way to get around this is to inform, advice, support, train and mentor them, cajoling and insisting as you progress.
Cybersecurity skills are expensive and take a long time to achieve. Good cybersecurity technicians and consultants are difficult to find and even more difficult to keep. Many surveys have indicated that there are not enough cybersecurity professionals to carry out all the cybersecurity work that is necessary. Couple this with the fact that many surveys also indicate that the number of hackers is increasing, that tools are readily and cheaply available on the dark web and that many hackers are in their early teens and you see the problem you may face with implementing your cybersecurity policy.
Even the hardest working CIO may not be aware of all of the projects and technical initiatives that are on going in a company. Managers go rouge, staff buy peripherals or projects may not be centrally logged. Sometimes there may be so many projects that the CIO cannot reach out to all the project managers. Whatever reason, some projects may be not be affected by the new cybersecurity policy. In this case the first job of the CIO will be to discover the scope, objectives and state of all the projects within the company and then ensure that the project managers adhere to the new cybersecurity policy.
Lastly because implementing a new cybersecurity policy can take so long and is so involved, focus can be lost. Business as usual pulls the CIO away from the task in hand. Other projects call and problems happen. Key staff leave the company, maybe the CIO goes to a more secure environment or gets fired because there is a security breach.
Maybe the answer is to bring in an experienced cybersecurity company such as Gaia Technologies plc. who will audit your current technical environment and then advice, configure and train on appropriate security monitoring software. They can even offer a full MSSP – managed security service provision for your company. This will go a long way towards letting your CIO sleep at night.