CSOs should look past ineffective “compliance mentalities” and treat the looming introduction of breach notification laws as an opportunity to destigmatise security breaches in order to build a more open, consultative culture amongst employees, according to the regional head of one large-scale security advisory.
Existing business cultures tended to foster a culture of secrecy around breaches, which have generally not been exposed externally and are frowned upon internally by IT staff that typically run educational campaigns to improve employees’ security awareness.
Yet by creating a dynamic in which employees were being preached to from on high, many companies have inadvertently fostered a culture where employees will adopt a defensive posture rather than proactively engaging IT to address any problems that may occur.
This left security staff as primarily responsible for discovering, attributing and resolving security breaches without employee involvement. With risk structures shaped through executive mandate, many security executives focused on checklist-driven compliance – but this is the wrong way to go around it, Joshua Kennedy-White, APAC managing director for Accenture Security, told CSO Australia.
“Typically changes in regulation drive a lot of work as businesses get their heads around it, but people often go through a checklist approach,” he said, likening checklist-based compliance to ‘one hand clapping’. “That’s the wrong way to think about it. The right way is to think about where are the risks, where are the crown jewels, where are any vulnerabilities, and what do companies need to do to fix that?”
Accenture’s recent High Performance Security Report 2016 hinted at the implications of the existing policies, suggesting a high degree of confidence amongst business executives that their organisations were doing the right thing around security.
Despite the fact that 75 percent of respondents were confident that their cybersecurity strategies were correct, fully 51 percent said it can take “months” to detect successful breaches and an additional 17 percent said it can take up to a year. This, as Australian respondents said they experience an average of 80 targeted cybersecurity attacks per year – with 41 percent resulting in successful breaches.
This disconnect – reinforced by the finding that some 34 percent of breaches are discovered by employees – highlights the need to improve feedback loops between IT-security staff and employees. And this, Kennedy-White believes, is where the opportunity around breach-notification laws will offer CSOs a significant opportunity for change.
“We’ve got to take stigmatisation away from security threats,” he suggested, noting that most internal compromises are the result of accidental breaches by employees rather than intentional, malicious activity. Given that so many breaches go unnoticed for so long, enlisting employees in enforcement efforts will be crucial to improving reporting, hastening remediation of breaches and allowing security staff to minimise overall risk.
“If we can break it to people and say that ‘it’s OK’, and that there will be no recriminations, then we can remediate and educate employees. Because employees will have a legal obligation to report breaches, it’s really going to help the culture of bringing this out into the open.”
The Notifiable Data Breaches Bill will lay out an extensive framework for reporting of data breaches by government agencies and businesses with turnover of more than $3m per year. Large fines and a range of powers have been assigned to the Office of the Australian Information Commissioner (OAIC) to investigate breaches and mandate particular behaviour by companies so affected – and voluntary disclosure will go a long way towards demonstrating wilful compliance with the spirit of disclosure.
“Legislation alone is never going to solve this problem,” Kennedy-White said. “Boards understand risks and fines – but that must combine with a culture of sharing to really collectively understand what the threat is, and to find the tools and mechanisms and training to make it really hard for those adversaries.”