Cyber Security and the Human Factor – An Opinion Piece

Born and bred in IT – and first influenced by global Oil & Gas, the Japanese and the German manufacturing industry – I never experienced excessive levels of management before entering the more anglophile international workspace outside my home country. At best, between me and the board were only two clear structured formal management levels. Ranks and titles did not mean much; the assignment you received came with clear objectives, authority and no regards to your rank. One day, you may have reported to your team leader, and the next day, with a new assignment, you might have reported to the CEO. You’d better be good and know what you are doing. Leadership skills and the ability of unbiased communication were necessary, even if one had no formal rank. The leaders were listening, and every bit of expertise was most welcome. Fast forward to the present day... When it comes to the matter of cyber security and the assessment of risk, it doesn't seems to work in the same way everywhere. I remember rushing to the head of security (CISO) at some bank and telling him that one critical shell binary (called cmd.exe) across his environment of hundreds of servers changes frequently. This CISO was only shrugging his shoulders, clearly signaling that he was not interested at all. On another occasion, I attended a meeting with front-liners from some regional government. The tools in place were not used at all, and I asked how they had passed previous audits. Apparently, the auditors brought in by the government looked at the paperwork, saw that tool from xyz-company was in place, and ticked the box. Needless to say, this exact organization had since been visited twice by unfriendly hackers – having collected an undisclosed amount of credit cards. Once I sat in a conference room investigating some update activities where rock-old objects of operating system binaries had been deployed almost everywhere. After complete denial, lots of smokescreens, and misleading answers, I worked out that a “private” repository had been used. When I then requested proof that this private repository had not been compromised, I received straight, outright laughter. The ones laughing at me were from the outsourcing company running and managing the entire IT infrastructure, while the representatives of the customer were sitting next to me. One of the guys from the customer then pulled out his cell phone, and said: “Hi boss, I guess we have a problem.” It could be argued that these are only anecdotes, not representing the actual state of cyber security operations within the global economy. I would disagree. I remember a national security conference where a very senior CISO with national recognition appeared on stage with basically only one message: “Look how clever we are.” The audience was mesmerized and impressed by their own importance. At that point, I couldn’t disagree more, giving my experience from the inside of the very same organization. Many more examples of this kind could be given here, but... Recent developments and events are going to change the landscape. Since CEOs have gotten the boot after successful cyber-attacks, the message gets eventually through – kind of, I am inclined to add. Criminal investigations are increasing the pressure and will have by all means an impact on cyber security risk assessments. Thanks to a whole new dynamic, changes are trickling down the line. (Although too slow, in my opinion.) The message will at some point reach a wider audience, and it will take some more time. Though one group of people learned already very quickly. Security jobs on various levels are now in high demand, and everyone who is smart enough to rewrite a very modest CV by adding some magical words tries to land a job in the security space somewhere. And yet many succeed. That is not helping the cause. There is no universal recipe to improve and advance this industry and the economy when it comes to cyber security. The culture must change, but it has not – and it is far from changing. What has changed is the availability of budget in response to the rationale that one could actually lose the job by not doing the right thing or not understanding at all. I wish that regulatory bodies would implement severe punishments for failure. Recent data breaches imply that reputation is the driving force at the moment. For the senior management level, I would like to see more awareness and understanding of the problem with cyber security beyond their intention to safeguard their own jobs. But until then, while there is no obligation to cover the cost of own failure, companies will find it hard to explain expenditures to the shareholder. The “middle management” must step up and take more responsibility. Where senior leadership at least get the message right, the lower management levels must translate necessary objectives into reality. Driven by targets and personal goals and guided by actual competence, the results are not always matching the given directives when you take a close look.