The ideal security model: a cyber savvy workforce

The most important component of a cyber security model is that it must be understood by all employees.

Martin Tyley Partner KPMG in the UK

The most important component of a cyber security model is that it must be understood by all. It will fail without an organisation-wide understanding of its importance and how it locks into the wider operating model.

Better cyber security doesn’t necessarily mean acquiring the latest technological solution. Robust cyber security capabilities are more dependent on the whole workforce understanding the potential risks and the required behaviours necessary to mitigate risks. All staff are responsible for cyber security – from wearing security passes visibly to avoiding taking risks with corporate data.

A matter of strategic business importance

For example, if a USB memory stick with sensitive data is lost, the failure, superficially, lies with a member of staff not considering the data security implications of their actions. However, it is typically a poor business process, or a lack of any process, which leads to the need for the data to be placed on a memory stick in the first place. In addition to technological cyber security solutions, appropriate processes, as well as a cyber security aware workforce are a prerequisite.

My view is that cyber security has evolved from being an IT only issue, often buried in small security teams, to one which should be considered as being a matter of strategic business importance. It should be on the radar of board members who need to understand it and make informed business decisions about potential risks.

Keeping pace with hackers

In the recent past, when cyber security was an issue confined to the IT function – it was a relatively minor operational issue, in part, because criminals also had little appreciation of the accessibility and value of corporate financial and information assets. In the UK, it was only the likes of the Ministry of Defence and other security services which understood this threat.

However, over time, cyber criminals have become more sophisticated and organisations have had to stay ahead, or at least keep pace, with hackers. As a result, this is now an issue which boards have to take seriously, if for no other reason than the fact that the consequences of not doing so are potentially so serious.

While it’s a good thing that this issue is receiving such attention, I would much rather it was seen as a standing agenda item and part of an organisation’s DNA.

Cyber security shouldn’t just be the ‘Topic du jour’

Cyber security is currently the ‘topic du jour’ - but this is a double-edged sword. While it’s a good thing that this issue is receiving such attention, I would much rather it was seen as a standing agenda item and part of an organisation’s DNA.

Both internal and external advisors which have the ear of boards can be guilty of using scare mongering tactics to stimulate action to tackle cyber security threats. This can prompt a knee jerk reaction and a surge of activity to address the identified issue. However, once the specific issue is resolved, there is a risk that attention shifts to the next challenge and cyber security falls back below the radar.

Cyber security should be part of the day job for everyone. Organisations often spend a lot of time training the few rather than the many. However, educating ‘the many’ – often staff who may currently consider cyber security as nothing to do with them – is the foundation of any effective cyber security model.

Maintaining business as usual

Unless a company has a continuous view of its risk profile and maintains and refines its controls accordingly, it’s likely to be exposing itself to an unacceptable level of risk; given the value of data and regulatory interest in data security. Put simply, cyber security needs to be as instinctive a behaviour as locking the office doors at the end of the day – it needs to be part of business as usual. Such an approach also normalises an issue which may be kept ‘out of sight, out of mind’ because it’s considered too hard and too complex.

I believe because organisations haven’t agreed how cyber security fits into their operations, they end up spending a fortune on technologies and solutions without thinking how to re-engineer or adjust processes to make them more secure by design.

A technology solution cannot ‘fix’ cyber security flaws. Every single person in a company needs to know something about their cyber security model – everyone doesn’t need to know everything, but everyone needs to know something.

Thanks for reading