Thursday, September 5, 2013

The Things I've Seen Series: Part 2 - Execs Exempted

Last week I posted on an encouraging trend I witnessed over the past 2 years: the emergence in some utilities of security governance boards comprised of security and privacy leaders, often a rep from legal or compliance, and senior stakeholders representing different business lines.  Soon after it went live, I received multiple corroborations from friends in the field who have seen the same thing in their patches. This is all goodness.

But there are other, less uplifting trends you should be aware of if you're not already. I've seen senior executives who have not once met with their cybersecurity leaders and who feel they have no reason to do so. I've had senior state regulators tell me that they haven't really thought about cybersecurity until very recently. 

And I've heard that in some organizations that have tried to raise awareness through spear phishing themselves, there's often a correlation between seniority and the worst offenders clicking on dangerous links. Match that with the fact that senior management often has heightened access to some of the most sensitive corporate data, and you've got a recipe for big trouble. 

Sometimes when I’ve asked about security awareness and training efforts at utilities I’ve found that the executive suite has exempted themselves because they’ve got more important things on their plates. No doubt the most senior personnel are deliberating on the most pressing challenges and opportunities facing their organizations. It all comes down to how we weight and value security. 

When mid-level and junior personal see their senior leaders opting out of security training, the cultural signals are unmistakable: security awareness and preparation in this company/organization are not on the same plane as safety, reliability, compliance, efficiency, etc. That approach was fine in the past, but I'm not sure I like the kind of future it portends. Let's work to make a better one.

No comments: