As executives evolve their companies out of mere “compliance mode” toward the development of an active and anticipatory information security culture, the primary challenge they face is in developing an adaptive balance between security, privacy, costs and efficiency.
Jason Popillion of GCommerce (now a part of SPS Commerce) spoke at the 10th Annual Pratum Secure Iowa Conference during one of the breakout sessions to discuss the corporate and technical role of the Chief Information Security Officer (CISO) and the challenges of balancing risk management with nimble strategic information security decision-making.
The security risk environment continues to evolve. According to the IBM Security Cost of a Data Breach Report 2022, the average reported cost of a successful data breach in the United States is $9.4M. 83% of organizations have suffered more than one breach in their history. About 60% of the organizations studied in the report who suffered a breach reported an increase in prices to their products and services as a result of a breach. This means that organizations should no longer justify a failure to invest in security in the name of cost savings. Furthermore, according to Popillion, ransomware attacks have increased in frequency, from one attack every 40 seconds in 2016 to one every 11 seconds in 2021. IBM Security indicates that ransomware attacks are also more expensive than a typical data breach, and that expense excludes the cost of the ransom itself, if paid!
Popillion was quick to point out that approximately 95% of all breaches are due to, or at least involve a component of, human error. Approximately 75% of organizations are not prepared for such a costly risk. In fact, one factor that allows attacks to proliferate is a culture of silence among organizations victimized by ransomware attacks.
In the case of a more traditional data breach, organizations have adapted to the best practices of identifying, responding and reporting it. In the case of ransomware, however, organizations who only suffer a data loss (via encryption or deletion) but not an exposure of personally identifiable client or employee information are more reluctant to broadcast their perceived security failures to the world. Popillion believes this to be a mistake. As the leader of an organization that suffered, and survived, a ransomware event, Popillion says, “I want to be able to say someone attacked me, I fought it off and I’m better for it.”
Companies who develop a security culture are more likely to contribute to the global defense against ransomware, because they are more likely to share their strategic victories and setbacks, contributing to an overall lower-risk business environment.
Most organizations will have some leadership on board with the strategic development of a security culture, but it really takes everyone at the top to be on the same page, It is the job of Information Security leaders in an organization to assist executives through the changes. Popillion identifies two overarching challenges to developing such a culture and strategy.
Challenge 1 – Effectively Communicating Security Demands with Executives and Boards
Every organization needs consensus on security culture and clear information on security initiative costs and benefits. Security leaders must communicate those needs effectively to the rest of the C-Suite in order to foster that consensus.
Popillion identified 5 keys to doing that:
1. Keep it Simple
Security technology and strategy is complex, but if you communicate the complexity of an initiative and include technical details to justify its adoption, you are likely to lose an executive’s interest.
Instead focus on the value of the technology and keep your message simple and direct.
2. Communicate With Numbers
While the security expert may be most persuaded by subjective illustrations of the potential defense of an initiative, an executive wants to be able to trust security staff, and needs measurables to adopt recommendations confidently.
Instead of spending time trying to explain how a new technology or initiative works, concentrate more on communicating how its success might be measured and reported. Use hard numbers.
3. Get to The Point in Under 60 Seconds
Brevity may be the soul of wit, but it is also critical to persuasion. Executives suffer numerous long meetings and large chunks of information on a daily basis.
If you can condense important information into a true elevator pitch, you’ll provide leaders with memorable, actionable clarity.
4. Use Visuals
Most people can more deeply recall information that has a visual component. Words and visuals exercise different parts of the brain.
Executives also appreciate seeing something that they could imagine using in their own presentations to justify or advocate important decisions.
5. Do Not Make Assumptions
It is very tempting to waste time and energy equivocating against, instead of advocating for, an initiative simply because knowledge, aptitude or even an attitude is assumed of executives.
Don’t try to change minds or win hearts when you don’t necessarily know the state of those hearts and minds.
Instead advocate the position, justify it quickly, and identify the value.
Here is an example of how Popillion’s keys to communication might be used in order to promote an initiative to an executive:
Perhaps you believe that it is time for your organization to implement some type of XDR and you need a particularly resistant executive to buy in to the idea. You could assume that the executive’s resistance is based on a general ignorance of the technical advantages of XDR and schedule an educational 30-minute presentation on the options, detailing the technical benefits of increased visibility into the corporate network, the various models available (managed or unmanaged) and the potential for significantly reducing the organization’s exposure to risk.
Such a seemingly reasonable and common approach may be much less effective than simply saying something like, “I think we should implement XDR. Even though only 44% of our competition is doing it right now, that figure is growing, and research indicates that organizations implementing any form of XDR will reduce the time spent on a data breach by nearly a full month -- 29 days. On top of that, take a look at these cost savings:”
By keeping it simple, communicating with numbers, getting to the point quickly, using visuals and not making assumptions, the trusted security expert at a company will make cleaner, more persuasive, more efficient advocacy for risk mitigation and network visibility and defense.
Challenge 2 – How do you grow security while managing resources and investment?
Even with leadership support of initiatives, cost management and growth will always be the prime directive driving executive strategy. So, it is important for Information Security to position its goals in some sort of alignment with cost objectives.
Cost Center Mentality
The problem is that most organizations view Information Security as a cost center at a company, and has been conditioned to associate every new security initiative with a directly proportional increase in expenditure. Popillion recommends a culture-first, investment-second approach to begin to change this view.
In other words, if your organization can develop a security-minded culture first, then demand for innovative security investments will be viewed more correctly as investments in the health and growth of the organization and will be more closely tied to both loss prevention and production cost management. After all, if data breaches are correlated to service and production cost increases, improved security will better prevent runaway costs.
A Security-Minded Culture
Popillion believes it begins with employees. Because the vast majority of successful attacks involve some sort of human error, the employee base is the absolute best environment to shore up. Training and education is critical, but it is not enough to foster a security-minded culture, however.
Most organizations have policies and procedures, as well as training modules or sessions. In order to foster a culture, an organization should make private and work environment safety of employees a major strategic stake. Employees are the hands and feet of an organization. Their conduct and personal security is not only what is more likely than that of executives to connect with third parties such as vendors on a daily basis, but is also what enables the company to perform its core mission. Employees are critical resources in the ongoing promotion of Information Security, and also provide latent promotion and training for vested outsiders. Vendors rarely are put through an organization’s security training process, but a vendor who has a business relationship with a well-educated, security-minded employee is more likely to support, rather than unintentionally thwart, an organizations’ security culture.
The security relationship between a business and its employees, at its best, is symbiotic: the more the employee is kept safe and encouraged to understand and promote a security-minded culture, the better protected the corporate network becomes…and vice versa.
Tabletop Exercises and Low Cost, High Impact Security Growth
A second component to this challenge lies with the security team itself. No matter how strong the overall security culture at an organization is, Information Security will obviously be the first line of defense. A high-value approach to increasing the efficiency and effectiveness of the security team contributes to the growth of security but doesn’t have to cost a lot. Popillion recommends regularly scheduled tabletop exercises once every month. Executing simulated events using the existing services not only hones the skills of security specialists, but also allows for the introduction of new models, the documentation of findings and regular reviews of remediation without any of the real costs associated with actual attacks and their aftermaths. The Roman general Vegetius once lamented the decline of the quality of the army when he wrote, “"if you want peace, prepare for war." Tabletop exercises provide effective preparation, and once implemented as a regular part of the workcycle, provide valuable ongoing improvements to an organizations security without correlated increases in costs.
Jason Popillion, Chief Information Officer/Chief Technology Officer at GCommerce is the two-time recipient of the Technology Association of Iowa Chief Information Officer of the Year award. Prior to GCommerce, Jason architected and developed an EDI and Customer Relationship Management (CRM) system for the State of Iowa that received 8 national awards including CIO’s top 100 innovations, Harvard Innovation, and Gartner–High Performance Workplace awards. In 2021, Jason earned the designation of Certified Information Security Systems Professional (CISSP). He is also co-founder and co-host of the Cyber Distortion podcast.
