Security Think Tank: Get your users to take pride in security

Increasingly, organisations want to “go digital” and seize the opportunities presented by emerging technologies. This is a growth story for business leaders, and that’s the way digital disruption and cyber security should be seen.

It can enable them to offer new services, use new routes to market, create greater trusted relationships and stop doing some things (that can be either automated or simply stopped), and get ahead of the competition. Cyber security is critical to that digital transformation, and in particular to building trust.

As cyber security professionals, we need to help businesses change the way we talk about the issue. Most organisations have now done the basics to protect their information, and many are moving along the road to optimising their investment in security as they have prioritised efforts to protect the “crown jewels” in terms of their information.

Business leaders now need to think about how new technologies, and use of cloud, artificial intelligence (AI) and internet of things (IoT), can create their markets for the future but give them confidence that the risks can be managed. This is partly about mindset and partly about education on what the risks are and how to manage them.

We often hear talk about wanting a “startup” culture and by implication greater ingenuity and experimentation. Using this kind of startup language and associated metrics can underline leadership commitment to cutting through red tape and accelerating ideas into solutions. This “permission” to experiment helps to open minds to more agile and flexible ways of working and creates a culture that encourages users to understand technology-enabled opportunities.

However, new technology always brings with it the potential to both reduce and increase security. The key is to recognise what is important from a security point of view in these new opportunities and design the solution with security built in, in other words creating trust by design.

Alongside understanding what the technology can do for them, users need to be aware of the new types of risks they now need to own and manage as they take advantage of new developments. This doesn’t mean that everyone suddenly needs to be a technology or cyber expert, but it does mean that the organisation needs to show that they value and require good use of technology, including cyber security.

Customers increasingly expect the organisations they buy from to have good “cyber hygiene”, and this has to be the ethos that flows from the top. There is no point putting in place the right systems and processes if the leadership ignore them. The message this sends to the rest of the organisation is that “security isn’t important enough for the board to do it properly”.

This underlines the need to challenge some of the myths around cyber security and make it more accessible. People within the organisation, at all levels, should be able to understand what to worry about, and what not to. There are a number of simple ways to achieve this:

• Provide baseline training for everyone on cyber security in business language to create a common understanding and enable people to talk to each other about cyber security.
• Involve people across the business in defining the “information crown jewels” so that they buy into what is essential for the organisation to continue to run, and know what to focus on and why.
• Leaders follow their own advice; talking about cyber risk as part of business and reputational risk and visibly complying with the policies to demonstrate that they are important.

This will help people to take pride in the fact that their organisation is “good at cyber security” and see it as key factor to building trust across customer groups. In today’s environment it would be unthinkable to have a poor health and safety record. That will be the case for cyber security in a few years’ time.

By approaching digital disruption as an opportunity to deliver products and services to their customers in new and innovative ways, cyber security will become part of this growth story. This will change the mindset so that businesses can look for ingenious solutions and create trust from the outset.