Governance & Risk Management , Leadership & Executive Communication , Training & Security Leadership
Why Companies Are Failing at CybersecurityCISO Marco Túlio Moraes on the Difference Between Being Aware and Being Educated
I remember the days when we, as cybersecurity professionals, hunted data leaks like crazy people. We were like vampires at the sight of blood. Whenever something came up, it was a huge opportunity to protect our companies and also to educate them by making them aware of cyber risks they knew nothing about.
See Also: Attack Surface Management: Improve Your Attack Surface Visibility
But then we encountered the "enthusiasm valley" and stopped being preoccupied with cyberthreats. We became complacent.
In the meantime, security incidents have increased everywhere. Companies obviously need to be diligent about cyber matters. If you don't believe me, look at the infographic "The Top 50 Biggest Data Breaches From 2004-2021." Over 17 billion data records were lost in those breaches, and 6 billion of them were stolen in 2021 alone.
Awareness vs. Education
Is awareness the issue? The reality is that the business lines, the board of directors, senior executives and the companies are already aware of cyber risk. But being aware of something is quite different from being educated. And that might explain a few things.
In its "Global Cybersecurity Outlook 2022" report, the World Economic Forum asked business and cybersecurity executives if cyber resilience is an established priority in their organizations. Forty-three percent of the business executives said it was, but only 13% of the cybersecurity executives agreed.
That means there is a gap between how business and cybersecurity executives see the problem.
A business executive may only be able to see one-fifth of a security risk. So everything they do to handle the risk - their approved solution - is limited to the portion of the risk they can see. With their false view of the problem, they can say with conviction: "This matter is a priority for our company." But is that true?
Security executives, on the other hand, have a broader view of the challenge and know that more needs to be done. And because it's not being done, they say the issue is not being prioritized.
Defining what cybersecurity means and what the priorities are for your business is not an easy task. And if business and cybersecurity don't understand each other's languages, it's even harder.
Beyond Educating About Technology
Education - through communication - may be the answer.
Cyber risks and solutions to mitigate them are present in products, operations, services, innovations, the supply chain and human behavior, so it is essential to educate the company in a way that goes beyond a concern with technology.
The purpose of information security is to enable business opportunities, such as digital transformation, and, above all, to protect people and their data in a stakeholder economy. Mitigating the risk of being the next target is an intrinsic part of having cyber in place.
Ask yourself - and everyone in the company - these two questions to start your company's cybersecurity educational journey:
- What is a priority for your business?
- Is it enough?
When you know what your priority is, compare it with all the cybersecurity efforts going on at your organization.
When you know it's not enough - because it's not - share that with your cyber team. Understand why it's not enough. And remember, I'm not the one saying it is not enough - the World Economic Forum is saying it.
Then, on the other side, in collaboration with the business lines, work to make your cybersecurity program "enough." Understand their business goals and concerns, how their businesses operate, which products they have, what partnerships they have in place, their vendors, the data processed, and the technology inside everything.
Identify risks and opportunities, and see how you can place cybersecurity to enable, sustain and protect everything. Focus on what your business needs, not on other best practices or frameworks that your company does not require.
It's time to educate ourselves more about the real risks to our businesses. Cyber ignorance is not bliss.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Marco Túlio Moraes is the CISO at OITI. He has 20 years of experience in technology, risks and infosec, with over nine years of international experience, in the financial, tech, health and retail/marketplace industries and in startups and utilities. Moraes developed one of the first cybersecurity programs in Brazil and was recognized by IDG in 2020 as one of the top 50 global CISOs.