Cyber Resilience & Security -changing attitude, behavior and culture
….Our latest Cyber Security & Resilence game is in final testing. Not a moment too soon if we look at the current state of Cybersecurity readiness and the critical importance of changing attititude, behavior and culture around Cyber Security.
Cyber security and Cyber resilience are hot topics. Driven by the growing importance of, and dependency upon information technology, and fueled by high profile, highly damaging security breaches that make news headlines. In the latest IT Trends study by the Society for Information management it scores number 1 on the list of CIO worries.
In response to this growing need Axelos has recently launched the ‘Resilia’ best practice portfolio. ‘To help organizations improve their cyber resilience and protect themselves from cyber-attack’. The focus of Axelos is ‘Putting people at the centre of organizational cyber resilience’.
As Peter Hepworth, CEO Axelos stated ‘ Cyber crime is increasingly recognized as one of the most serious risks to a strong global economy, market reputations and to national security’ adding that Resilia will equip people with ‘knowledge and confidence to deal with cyber security risks’. It is refreshing that Axelos is strongly positioning the PEOPLE side of the PPT (People, Process, Technology) equation. As Nick Wilding, head of Cyber Resilience at Axelos also stated ‘Inside any organization there is a powerful force that can help that can help protect their reputation, safeguard their information and keep customers close – people’.
However it is also the people that leave memory sticks containing sensitive data is their cars, who succumb to spam mails and who stick their passwords under their keyboards. It is People who circumvent security policy to ‘get their job done’.
The latest Cybersecurity findings from Cisco reveals that attackers are shifting their emphasis from ‘…seeking to compromise servers and operating systems to seeking to exploit users’.
Education & Training
Axelos is the latest to offer a framework of best practice and related certification. As well as offering the Axelos portfolio, APMG also has ‘Cyber security and resilience’ certification. Isaca has the ‘CoBIT 5 – for Information security’ with a related set of certification, BCS , EXIN and Peoplecert also have offerings.
Education and theory are not enough. We must ensure that the theory is translated into practice and embed security in the behavior and culture”
IT organizations now have a wide choice of security related education and theoretical certification. However the real value of knowledge comes from the experience in how to practically apply the theory. Also, more so than with many other best practices, security management is all about Attitude (awareness, understanding, commitment), Behavior (doing what is necessary) and Culture (stop and think). ‘Engagement with people’ was in the ‘top 5 Information Security tends that will dominate 2015’ on CIO.COM. “Instead of simply making people aware of their information security responsibilities and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in ‘stop and think’ behavior becoming a habit and part of an organization’s information security culture.”
GamingWorks is currently developing its latest business simulation Oceans 99 together with Industry practitioners. The simulation is designed to support the formal education courses such as Foundation or practitioner by providing a safe environment to test and apply the theory.
At the same time the simulation can be used as an awareness instrument for ALL employees, both IT AND the business users, to create both awareness and understanding for the need for people to change their attitude and behavior in relation to security.
Oceans99 is a business simulation game. In this game the Tokio bank and Tokio museum want to host an exhibition of three unique and valuable objects. An extremely rare Bugatti from Las Vegas, one of the most exquisite diamonds in the world from London and a priceless Dutch painting. The objects have to be transported across the globe. The planning, monitoring and tracking and the security of the exhibition are all managed with Information systems. Oceans99 a criminal organization wants to steal the objects. Can they access the information to plan and arrange the greatest art theft of all time?
In our most recent PILOT of the simulation with SME’s from our partner community, we asked delegates ‘What Cybersecurity success and fail factors did you discover today that you recognize as common issues that your customers are experiencing?’ Here are some of their experiences:
- Threats, Risks, Vulnerabilities – Even with a group of security minded consultants there was discussions and confusion about ‘terminology’ which stimulated a dialogue about the right things. Which assets and Information are the most critical and what are the most significant risks.
- Assessing the risks there is a tendency to focus primarily on technology and process and too little focus on people and behavior related risks and countermeasures.
- The Security team and senior directors chose a set of technical security measures which caused irritation and were circumvented by the users to ‘get work done on time’. There was no common shared vision and strategy on security.
- There was General confusion about tasks, roles and responsibilities concerning security policy and procedures. Not all the stakeholders saw a need for a policy as opposed to ‘quick fix technical solutions’.
- In the game a business stakeholder rejected the security technical security measures already implemented, and circumvented these. The executive director accepted the business unit manager. What was the role and authority of the security officer? What was the policy for reviewing/assessing/auditing to underpin the decision and make the potentials risks and vulnerabilities visible? The team discovered the security officer was seen as more an IT role and did not have credibility, trust and authority at the executive level.
- The team deployed the new technology solutions but failed to address issues such as reporting security incidents, prioritizing security related issues, roles and responsibilities, communicating awareness around the security policy, shared goals, processes, responsibilities.
- Security ‘events’ were not analyzed to identify trends, threats and vulnerabilities.
- Even though people were aware, in the pressure of meeting deadlines Phishing mails were opened and links accessed allowing malware to enter the systems.
Was the exercise useful? It exposed recognized issues, clearly demonstrating the importance of engagement and dialogue and highlighted that security isn’t just an IT technical issue. It also highlighted a need for the security officers to understand elements of ITSM such as incident management and problem management to analyse security trends and threats and to help prioritize security investments.
“It is a great instrument for creating awareness, understanding and commitment from both IT and Business people for the need to change behavior”.
“Having people from different departments and teams get together in one room helps people see, feel and experience dependencies….they see the overall impact of seemingly insignificant breaches in procedures”.