How often do you hear about increased cyber security budgets immediately following an incident — signposting a move from constrained spend to an overnight demand for action and investment? But security shouldn’t be an event-driven, knee-jerk activity; it must permeate every part of the organization, from product design to customer service, supply chain to production.

Cyber security should be a key part of building trust and integral to corporate strategy — not an afterthought. It’s the same with DevOps, where developers tend to be incentivized on speed to market and not security, with inevitable consequences. In industries like construction and oil and gas, safety has become second nature. All the operations have embedded a safety culture, helping employees instinctively avoid incidents by encouraging, measuring, rewarding and publicizing responsible behavior. CISOs should follow a similar path, and perhaps even build on that culture in those industries where it already exists.

For cyber security teams, the new, subtler role of influencer may take some getting used to. CISOs themselves should think less in terms of security empires, and more about orchestrating a resilient, cyber-aware ethos where everyone is accountable for their contribution to corporate security.

If you haven’t considered cyber security as part of your conceptual product discussions, you’re probably too late.

Dani Michaux
EMA Region Cyber Security Leader and Partner
KPMG in Ireland

Agents of change

Addressing the challenge

Embedding cyber security into the organizational DNA requires CISOs and their teams to become evangelists, to make security processes second nature and to change behavior, while also respecting the differing organizational cultures found in development teams.

Change starts at the top

CISOs must invest time building strong relationships at board level, articulating risk and explaining how cyber, when done right, can enable the business. Once the board and executives buy into the concept of implicit security, CISOs are in a stronger position to spread the message more widely, knowing that they have leadership support.

Forging a security culture

CISOs can exert influence by being visible, and giving individuals the knowledge and the power to practice good cyber security habits. This doesn’t just apply to employees, but also to any third parties handling data, such as contractors, suppliers and partners.

As Covanta CISO Tammy Klotz explains, there’s nothing like building one-to-one relationships with key stakeholders: “It’s not rocket science. It’s about having a presence, having conversations, investing time in understanding the business operations you support and protect, to show you understand what’s most important. I call it ‘getting into the other person’s movie’. My entire first year in this job was about building relationships. You can’t do Operational Technology (OT) security without visiting a facility and getting your hands dirty.”

Our role has shifted from security awareness to behavior management. This means fostering better digital citizens, with phishing exercises, gamification and other methods to change behavior and understand the importance of information security wherever you are.

Jim Nelms
CISO, LabCorp

From DevOps to DevSecOps

Development teams remain reluctant to integrate cyber security, fearing it will slow down their efforts and seeing it as a corporate overhead. In some organizations, CISOs fund cyber security specialist roles within DevOps teams as a free resource, to work to integrate security into products, using a standard approach. By doing this, the CISO enables rather than dictates, and creates development evangelists respected by their peers who can show how security practices are embedded into development pipelines.

Donating cyber skills

    Vodafone is using a DevSecOps model, getting involved in product and service design and development. They want to empower development teams by appointing a security champion, providing training, tools and where possible reusable code. American Express has a similar philosophy, as Michael Papay, Executive VP, Enterprise IT Risk and Information Security, explains: “We embed specialized resources across functional areas to drive awareness and swiftly address information security and risk issues. These people understand the business challenges and apply a security lens to ensure the most effective response. This model also serves the dual benefit of creating a best practices feedback loop.”

Gamification

Particularly relevant for product developers in DevOps teams, gamification is a great way to enthuse and engage people on the importance of cyber security. It lets developers integrate security within their daily jobs, with the ultimate reward of a faster release into the market. Other events like ‘Capture the Flag’ games can help to upskill the DevOps team and build closer relationships.

Cracking Operational Technology (OT) security

Security is not just about servers and laptops, now that computers have become ubiquitous. Today’s industrial environments are heavily dependent upon software, hardware and IoT. However, the culture of managing OT can be very different, an engineering mindset, a focus on availability and safety, and a strict approach to managing downtime. In championing OT security, it’s important to get into the heads of engineers, understand their objectives, win their confidence, and demonstrate that threats are real. Cyber professionals can then develop pragmatic solutions reflecting the reality of legacy systems, complex vendor landscapes and the need for 24/7 availablity.

Segregating OT risk

    With many research and manufacturing sites around the world, GSK is engaged in a multiyear program to gain an enterprise view of risk. Although each site has its own responsibility for OT upgrades, the central cyber security function will have the capability to contain the risk to one location in event of an attack.

Incentivizing common good

Axiata is just one company that opts for what they call a ‘Collective Brain’ approach, as Abid Adam, Group Chief Risk and Compliance Officer, says: “We incentivized the different operating companies to work properly together and drive consistency. We restructured KPIs and remuneration, which meant they all had skin in the game. They were then tasked to come up with solutions that solved not only their problems, but the problems of other operating companies — and aligned with their business too.”

CISO as a broker, integrator, orchestrator

KPMG thinks

People are often called the weakest link in cyber security. But actually, they can be critical to cyber security if they are well educated, supported and incentivized to make the right decisions, and understand how their actions impact the security of customers, operations, intellectual property, money, and reputation. By acting as a kind of ‘Chief Cyber Security Marketing Officer’ CISOs can foster a true security culture, constructing an effective cyber brand that’s aligned with the organization’s mission and values.

The nature of the cyber threat is subtle, sophisticated and constantly evolving, which calls for learning techniques based upon social cognitive theory, to make security second nature, and enable employees to look out for and recognize hackers and criminals. This is especially so when combatting fraud and financial crime, where everybody involved in the customer journey should be fully connected and committed to protecting customers’ data and money.

The new hybrid world of home and conventional office-based working brings multiple threats, often from unaware family members using the same networks. Every employee should be taught to treat the home as an extension of the workplace and become ‘CISO of their own house’. The most successful awareness campaigns make it personal and educate employees on protecting themselves and their families, not just the company. It’s also important to recognize the demographics of the workforce. Different age groups have very different views on data security and privacy, which will influence the messaging on cyber security.

There’s more than one way to embed security. Some favor a hub-and-spoke model, with a smaller, core security team that performs security operations, with security professionals embedded into lines of business — or ‘donated’.

With organizations digitizing at warp speed, we need to embed security in every process of developing solutions and products, so that people think about security before transforming and as they transform digitally.

Leah Gregorio
Managing Director, Cyber Security
KPMG in the US

 In such a structure, the cyber security function becomes a broker, integrator, orchestrator; a big leap for technically minded security professionals accustomed to enforcing from the comfort of their desks. Automation will make the task easier, taking every day manual checks out of the hands of busy workers.