Engage in continuous learning around what new technologies mean for cyber security, writes professor Deeph Chana, co-director of Imperial College London’s Institute for Security Science and Technology and its Centre for Financial Technology.
Cyber security can seem obscure, but in many cases, it’s about dealing with the risks that arise from common human behaviours. Using and re-using simple passwords or replying to emails without checking the identity of the sender seem like common slip-ups but can often constitute cyber breaches.
These scenarios play out across organisational boundaries and all levels of seniority. The chance of a cyber security breach occurring is heightened when people believe that dealing with it is “someone else’s problem”.
Cultivate a widespread and adaptive security culture
Organisations need to cultivate a widespread and adaptive security culture, driven by leaders who continuously learn and update their knowledge and skills. The 2018 FTSE 350 Cyber Governance Health Check showed that boards are increasingly recognising the importance of cyber security, but this is rarely followed up by actions to develop and establish sound security practices. Only 16% of respondents said their boards had a firm grasp of the wider impacts associated with a cyber security incident.
This suggests that executives lack the depth of knowledge needed to make a decision on whether to take action – but why? According to the Research Institute in Trustworthy Industrial Control Systems, a multi-university research programme led by the Institute for Security Science and Technology at Imperial College London, the knowledge shortfall can be attributed to inaccessible technical language.
This language barrier can play a significant role in obstructing the timely escalation, examination and mitigation of risks. Boards and senior staff simply aren’t asking the right questions about cyber security risks within their organisations; faced with a lack of clear information, employees will often use their own judgement on best practice, which can lead to negative consequences.
Investment in organisational resilience
Investment is also needed in organisational resilience. In the FTSE 350 survey, just 46% of firms with a cyber security strategy could point to a dedicated budget for it. Cyber security is still often seen as a purely technical issue, meaning that provision for dealing with it is assumed to be taken care of within IT budgets.
Of the businesses surveyed, 29% said their strategy was largely focused on technology improvements and implementation. However, it’s crucial that businesses do not isolate their efforts solely within specialist teams. This only promotes compartmentalisation.
Leaders must keep abreast of what new technologies mean for cyber security. Without a basic level of technical competence, they will struggle to ask good questions and contribute effectively when identifying and prioritising risks, enacting appropriate measures to minimise exposure, dealing with crisis events and generally driving the continuous development of the security culture within their organisations.
Today, it is critical to create a culture in which leaders are knowledgeable, communication and collaboration around risk across teams is effective, and investments in solutions are broader than technology. Decision makers must be engaged in continuous learning for this to happen. But picking the right blend of solutions will be an enduring challenge — there’s plenty of snake oil out there.
Register for insights and updates or implement one of our levy-funded leadership programmes by clicking on the buttons below.