Douglas Graham, chief security officer at globalization services provider Lionbridge, says it's time to put the rumors to rest: C-suite executives are getting a bad rap for refusing to comply with security policies. In his experience, their so-called failure to fall in line is often a case simple misunderstanding.
"At a prior workplace, I once asked my CEO why he'd refused to do security awareness training. He told me he'd never said that at all and that he felt that there should be no exceptions to the training. As it turns out, someone else had made the decision for him," Graham recalls. "Across my career, I've found many C-suite executives are not fully aware when they aren't in compliance; rather, others often make decisions for them based on what they think the executive might or might not tolerate."
New research around C-level executives' willingness to follow security protocol from security vendor Bitdefender is not encouraging. Its "Hacked Off!" report, surveyed more than 6,000 infosec professionals globally, 57% of whom said key executives are the ones least likely to comply with a company's cybersecurity policy.
But why? Other research finds security is an increasing priority across all levels at most organizations. For example, a study earlier this year from Radware found cybersecurity was recognized as a key business driver by the C-suite, with 98% of C-suite executives noting they have some management responsibility for security.
It's also well-known that CEOs and other top execs, with their influence and exposure to critical data, are seen as targets. According to Verizon's "2019 Data Breach Investigations Report," C-level executives are being increasingly and proactively targeted by social breaches for financial gain. And senior executives are 12 times more likely to be the target of social-engineered attacks.
Clearly, an understanding of the need to be careful and risk-averse is sitting with the C-suite. So why are they getting a reputation for being bad at compliance?
"It's time to take a look at the controls or the culture," Graham says. "CISOs need to work with the C-suite and other key influencers to explain the reason behind the controls and not just demand compliance for compliance sake, even if that takes more time."
High-Ups Require Different Levels of Control
John Pescatore, a veteran analyst and professional in the security industry, has seen the issue evolve over the years. Currently the director of emerging security trends at SANS, he says one of the most common reasons why reasons executives don't comply with security policies is because they need security controls fit for them exclusively.
"Too often security policy has been one-size fits-all – the same for the CEO as for her secretary," Pescatore says. "This makes no sense. Never has. There are many areas in corporate policy where executives have additional privileges and accommodations compared to the average employee, and security policies need to do so as well."
Pescatore points to the example of a security policy that prohibited the use of Blackberries several years ago and, in more recent years, iPhones. A solid case for having a secure mobile device at the executive level easily could be made, and it made sense to find a way to configure mobile devices securely for the executives. But in many places, that didn't happen. So executives simply brushed up against the directive not to use their devices for work – and did it anyway.
"Too many security teams fall back on, ‘Well, we told them not to do that' rather than focus on developing security architectures and controls that can enable those executives to securely meet the demands of their jobs," Pescatore says.
Spell Out the Risk With $$$
Want to get executives to pay attention to how much their lack of compliance might cost? Give them a breakdown of the cost of a breach, says John Gelinne, managing director, advisory for Deloitte Cyber Risk Services.
"CISOs need to hit the other C-suite members in the pocketbook," Gelinne says. "Taken one step further, the financial impact associated with the exploitation of an executive by an adversary can be calculated through evolving cyber-risk quantification-modeling techniques. Cyber-risk modelling can illustrate, in financial terms, the broad business impacts a cyberattack can have — from the time an incident has been discovered through the long-term recovery process — all as a result of a single executive, exploited by a single adversary and a single point in time. By looking realistically at potential costs, business leaders can see the direct impact of how their actions can hit them, and their shareholders, in the pocketbook."
Gelinne also recommends training specific to the C-suite. This can help them understand how — and why — they will be targeted with spear-phishing and whaling attacks over email. When it comes to executives, criminals are often willing to be very patient in order to pull off the long con in the hope of a very big payoff.
Is It All Just a Big Misunderstanding?
Pescatore also notes that a lot of the buzz around the C-suite's bad attitude about compliance is misplaced.
"When I do briefings to boards of directors, I always ask, ‘How many of you use an iPhone or Android phone for your business?' and these days it is pretty much 100% of them. Then I ask, ‘How many of you use the fingerprint or facial recognition to open your phone?' Typically, 80% to 90% [do], yet most security teams will say, ‘We can't get the executives to use strong authentication.'"
So maybe it's time for the security team to have a change of heart about executives. A lot of evidence shows those at the C-level really do care about security. Ultimately, Pescatore says, it's about marketing security in a positive way to get C-suite buy-in. And many CISOs are already doing that, he says.
"[I have a] lot of positive examples out there of CISOs strong at communicating, selling, and enabling business," he says. "Those are probably in the 41% that were not blamed [for lack of compliance] in the Bitdefender survey."
- How to Build a Rock-Solid Cybersecurity Culture
- How a PIA Can CYA
- Why Organizations Must Quantify Cyber-Risk in Business Terms
- Compliance Training? What Compliance Training?
(Image: pictworks via Adobe Stock)