Cybersecurity is now everyone’s concern -- from teams in the trenches all the way up to the CEO (if the headlines about cybersecurity and insider threat incidents are any indicator).
In reality, many leadership teams wait until it’s too late (and a cybersecurity/insider threat incident has already occurred) to to insider threat management. However, the right level of communication and “managing up” can help cybersecurity teams create more insider threat awareness among the organisation’s leadership. The more C-level awareness and buy-in, the better adoption of cybersecurity best practices will likely be.
Here are three ways to engage management on cybersecurity and insider threat-related topics:
Think About Cyber Literacy from a Business Perspective
Many times, leadership teams aren’t necessarily engaged in cybersecurity efforts because they feel culturally disconnected with teams in the trenches or don’t understand the core issues.
According to a recent TechRepublic article, many leadership teams assume that cybersecurity is only a technical problem (and not a people problem), because they have no reason to believe otherwise.
This sentiment may prevail because often, the primary form of communication between teams comes from security telling business execs that a cybersecurity incident has occurred (and the ensuing blame game that’s directed their way from the C-Suite). In addition, even though 76% of boards review and approve cybersecurity strategies, 41% of board members admitted to a lack of expertise in the area, according to a Ponemon Institute study.
Reframing some of the key issues could help close this knowledge gap. For example, your cybersecurity team might want to become more proactive with communications to executives and board members, highlighting on a quarterly basis both successes and points of weakness -- along with an explanation of why these trends are occurring.
A proactive approach (versus a reactive “as something goes wrong” style of communication) could lead to increased cyber literacy over time. It also mimics the process for minimising insider threat risk, and other cybersecurity risks.
It’s also the responsibility of the cybersecurity team to help leadership understand the scope of the potential problem.
For instance, many executives may not understand the cost of an insider threat incident, or it’s relative impact on the key things they care about, i.e. the proverbial “bottom line.” Framing the issue in the context of dollars and cents may help the leadership team benchmark the organisation’s risk of financial exposure relative to others in the industry (which may be a good entry point to talk about larger cybersecurity issues).
Talk About People First
Often leadership teams can become fixated on technology as a panacea for stopping insider threats, when people are at the heart of the matter. In fact, two out of three insider threat incidents are caused by employee or contractor mistakes, which could be easily avoided with the right internal cybersecurity awareness initiatives.
In fact, according to SANS Institute, 85% of cybersecurity awareness professionals reported that their work had a positive impact on their organisation. Cybersecurity management and business leadership teams need to understand that addressing the root of employee or third-party contractor errors could significantly reduce the number of accidental insider threat incidents in the organisation.
One way to broach the topic is to enact an initiative to build a positive cybersecurity culture in your organisation, focused on coaching employees proactively and encouraging open, honest dialogue. This initiative could start as simply as providing open sessions to review cybersecurity policy with employees, which offer opportunities to ask questions or discuss the use of certain technologies they may need. If any cybersecurity tools are restricting team members’ ability to do their jobs, these sentiments should be able to be discussed openly and directly with the cybersecurity team-- rather than employees taking matters into their own hands and bypassing protocols.
Use Historical Context
Most leadership teams are driven by data and hard evidence, which can be difficult for cybersecurity teams to provide based on a combination of alert fatigue, the inability to quickly pull relevant contextual data, or a lack of visibility into certain threat vectors (such as insider threats). However, certain insider threat management tools, like Proofpoint’s Insider Threat Management platform, can provide contextual data on file and user activity for potential insider threats.
This information can not only aid with the investigation process, but also help point to important trend lines in user activity that may be problematic for your organisation. Packaging these trends for executives can help them understand the most common insider threat indicators within your specific organisation.
If you do not have such tools in place, citing media stories about insider threat incidents that are relevant to your industry may raise awareness among the executive team, proving that these types of incidents can -- and do -- happen to anyone.
How Do You “Manage Up?”
We’re curious about how your team manages up and communicates progress to the leadership team. Sound off on Twitter @Proofpoint, and share some strategies that work for you!