PwC's talented senior cybersecurity and infosec manager Ross Foley recently gave a great talk on the growing importance of security culture within infosec. Here are the slides to help raise awareness of this issue.
2. Blackhat 2017
Security Culture | 2
““We focus too much on
complexity, not harm…
the things that we see, that
we come across every day,
that cause people to lose
control of their information
are not that advanced
Alex Stamos
Chief Security Offer, Facebook
3. The security culture journey
Security Culture | 3
Culture is more
than awareness
There has been under
investment in the
people components.
Understanding
your culture,
human
motivation and
cognitive bias is
critical.
Behaviours
need to change
first and then
mindsets will
follow.
144%
increase
in successful
cyber attacks
on
businesses.
is the average total
cost of the worst
security incidents
experienced by large
organisations in 2015,
an increase of
between 143% and
173% on 2014.
£1.5
to
£3.1m
Cyber threats
are evolving
Threats are changing
rapidly, with regulation
following, and the
public increasing its
expectations on
security.
GDPR
People are
the weak link
Cybersecurity
generally fails
where people
meet technology.
Humans
are often
the weak
link.
of the worst
breaches in
the year were
caused by
inadvertent
human error
up from 30%
one yearago.
75%
large
organisations
suffered staff
related
security.
breaches last
year.
50%
We are not rational.
Our decisions are
influenced by
emotions.
We miscalculate risk.
4. Why is culture so important?
Security Culture | 4
““81% of hacking-related
breaches leveraged either
stolen and/or weak
passwords
Source: Verizon Data Breach Survey 2017
Source: HM Gov. Cyber Security Breaches Survey 2017
5. But it’s not just about phishing!
Security Culture | 5
The best security technology in the world cannot
help you unless employees understand their
roles and responsibilities in safeguarding
sensitive data and protecting company
resources
US National Cyber Security Alliance
6. So what is culture?
Security Culture | 6
“
“The assumptions or beliefs which are
common across the organisation that
allow you to predict how your people will
behave and what they will achieve
PwC
Risk Culture
Organisational
culture
Behaviours
Ethics
Personal
predisposition
to risk
IRM
7. Common challenges to culture change
Security Culture | 7
Organisation
structure
Embedded
behaviours
Prevailing
mindset
Time to change
8. And there is no accounting for people…
Security Culture | 8
9. But what does this mean for security?
Security Culture | 9
Security is a
reality…
…but it is
also a feeling
“
“We have zero appetite for
cyber security risk
10. The psychology of risk management…
Security Culture | 10
People exaggerate
risks that are:
People downplay
risks that are:
Rare Common
Spectacular Pedestrian
Personified Anonymous
Outside of their control Under their control
Talked about Not discussed
Immediate / sudden Long term / evolving
Affect them personally Affect others
11. Measuring your security culture
Security Culture | 11
It’s not just about awareness training or ethical phishing! Focus on the “moments that matter”
Do they proactively
manage cyber risk?
• Ratio of leavers to users removed
during attestation
• Exceptions to policy
• Average time to close risks
Would staff spot a
cyber threat?
• Volume of email traffic to webmail
• Volume of (attempted) web traffic to
file sharing or webmail
• % of users who receive targeted
training
How would they respond to
an incident?
• Number of submissions to phishing
mailbox
• Repeat DLP offenders
• Average time to report physical
data/asset losses
12. Setting the tone from the top
Effectivecyberriskmanagement
‘We understand cyber is a relevant topic and our
executives inform us regularly’
‘We maintain a considered cyber risk appetite and
see accurate management information which
demonstrates compliance’
‘We actively manage cyber risk, making well-
informed choices about how we run our business
and placing clear requirements on executives. Risk
appetite influences our strategy and vice versa’
‘We are leading a business in the digital age. Cyber
risk is an integral part of innovation and growth; it is
led from the top and managed by all executives’
Owner: CTO
Awareness
Owner: CEO
Understanding
Owner: Board
Good
Governance
Owner: Board +
Whole Enterprise
Effective
Leadership
Denial?
Awareness and Leadership
Views from the Board
Security Culture | 12
13. What can I do tomorrow?
Security Culture | 13
Remember you are not alone & utilise
alternative skillsets across the business
Widen your metrics to include more
than just than completion of awareness
training & ethical phishing results
Get more targeted! Tailor your training
based on risk
Maximise the visual impact of your
initial awareness activity
Create a brand for security within the
organisation & promote positive
behaviour