Building an organisation-wide cybersecurity culture requires a radical shift in thinking

Building an organisation-wide cybersecurity culture requires a radical shift in thinking

Stephen Roostan, VP EMEA at Kenna Security, explains why every question from your CEO is an opportunity to shape the security culture in your organisation, and how adopting a risk-based vulnerability management mindset offers the best opportunity for success.

When it comes to an organisation’s data security, what should a CISO’s top priority be, both now and in the future? A joint study by PWC and Harvard Business Review asked over 200 business executives across Europe and North America exactly that, and the responses they received revealed some interesting insights.

According to respondents, the current focus for CISOs is on more tactical activities such as ‘building and maintaining threat-resistant systems’ (56%) and ‘identifying potential external threat factors’ (51%). Even though this research was carried out pre-COVID, the results were on a par with CISOs’ priorities during the pandemic. In short, focus is on the here and now. However, three years from now, respondents believe this should be on the much more strategic objective of ‘building an organisation-wide cybersecurity culture’ (63%).

In order to come to fruition, this switch in focus from tactical activities to strategic objectives will require a matching shift in overall approach to security, starting in the boardroom and trickling down to every other level of an organisation over time.

Seize every opportunity to drive change

When it comes to reshaping the security culture of an organisation, CISOs must use every question from their CEO as an opportunity to drive change. One of the best ways to do this is by adopting a risk-based vulnerability management (RBVM) approach to answering such questions, which will not only enable CISOs to deliver more strategic value whenever possible, but also encourage executives to think a bit more about the questions they ask going forward.

What is RBVM?

RBVM is a cybersecurity strategy in which organisations prioritise remediation of software vulnerabilities according to the risk they pose to the organisation. The need for RVBM is driven by the fact that modern large-scale enterprise networks tend to contain more vulnerabilities than their cybersecurity teams can realistically fix. RBVM allows teams to quickly assess vulnerabilities and address them in the most logical order, rather than taking a scattergun approach or focusing on areas of lower risk while high-risk vulnerabilities remain unpatched. Effective RBVM strategies are typically made up of several core components:

  1. They use threat intelligence to identify the vulnerabilities attackers are discussing, experimenting with, or using
  2. They utilise this intelligence to generate risk scores based on the likelihood of exploitation
  3. They take into account the business context of various assets because intrusion into some segments of a network may be more damaging or likely than others
  4. By combining vulnerability risk assessment and asset criticality, patching efforts can then be focused on the vulnerabilities that are most likely to be exploited and that reside on the most critical systems.

Putting RBVM into action

Below are a series of commonly asked security questions from CEOs across a wide range of industries, along with examples of how CISOs can use RBVM to not only answer them, but also start driving cultural change in the process.

What security issues are most likely to affect us and what business impact would they have?

A broad question like this means the CEO is trying to gain a better understanding of security risk through the likelihood and impact of any given scenario. The good news is that if they’re asking this type of question, it means the security culture already in place at the business is a lot more mature than many others. Using RBVM will enable you to quickly point out which vulnerabilities are most likely to be exploited and the risk tolerance for each, based on how important a system is.

I saw the news about <X>. Are we protected against that?

Anyone who has ever been a CISO will almost certainly have fielded this question at some point. Whether it’s the latest high-profile breach or an article warning about the risks posed by a new form of malware, this question will often have you scrambling to answer it quickly and efficiently if you aren’t careful. The key to doing so is keeping the necessary information close to hand, whether through a data warehouse, proprietary security dashboard or similar. Knowing where and how to find the right information is crucial here.

Where can we get the biggest return on investment from a security perspective?

This kind of question is a dream come true for many CISOs because it shows that the CEO is potentially willing to make an investment in security if the returns are good enough. In addition to justifying new investment in terms of securing against the losses that could be incurred by a breach, being able to demonstrate measurable ROI is a compelling combination. For example, being able to explain to the CEO how the automation and application of data science can increase the accuracy and efficiency of fixing vulnerabilities, therefore saving time and costs for the IT team, has got to be a winning argument.

How does our security risk stack up against our competitors? 

This is a question that comes up time and time again at a board level, often due to the difficulty that many executives can have in measuring their own efforts when it comes to security.

Access to industry benchmarking is key to answering this line of questioning. Many modern risk management tools now contain great benchmarking features that can provide the information needed. Alternatively, participating in industry focused groups and organisations can also help you keep tabs on what competitors are up to. However, it’s important to remember that at the end of the day, the only security programme that matters is your own.

Ultimately, when it comes to security, all any CEO really wants to know is if the business is secure and protected from cyberthreats. While the answer to this is rarely black and white, approaches such as RBVM help provide fact-based answers, steer future conversations, drive cultural change and with luck, unlock future budget increases along the way. 

Browse our latest issue

Intelligent CISO

View Magazine Archive