Over the last 6 years, I have completed a broad range of risk, compliance and security searches but our recent search for a “Global Chief Of Information Security”, was possibly the most interesting and eye opening one so far.
Why?
Because of the consistency and simplicity of the message we heard from every single candidate.
The biggest risk to business is not cyber security or hacking. Yes, that is a risk, but it can be quantified, and measures can be taken to combat it. Cyber Kung-Fu is not their primary concern. No, irrespective of the candidate’s background or location they all agreed that their primary concern is something that is far harder to predict or control…. the behaviour of their own people.
In the wake of the Edward Snowden affair and the Sony Pictures “hack” (where many suspected an insider job), it is clear that information security is still firmly in the hands of key employees. If your “people firewall” is not secure enough, leaks are inevitable.
So, in the era of an increased reliance on technology, the technology isn’t the risk itself, it is the people who have access to that technology. This is what these guys were talking about. They weren’t talking about encryption; they were talking about behaviour. They were talking about hackers; they were talking about human error. They weren’t talking about prevention; they were talking about education, they weren’t talking about a “lock down” they were talking about becoming resilient!
All of the people I met talked about Security as a “team game”. They all discussed the importance of combining physical and technical together and working with the entire business to build a culture supportive of security best practice.
What was also interesting is that they weren’t just talking about rogue employees. These are relatively easy to spot, and they don’t last long. Instead they were more focused on the average employee who wasn’t engaged enough to care about getting it 100% right, or the employee who didn’t take the warnings seriously enough. “I’d never make that mistake” is an easy thought to internalize until the unimaginable happens.
These information security guys see themselves as educators. What are the consequences of sharing a certain email? What are the protocols for a certain event, but more importantly why are they there? What could happen if your commitment to get things right wavers, even for a second? A lot of the answers to these questions can be pretty scary, and with the wrong sorts of information can have huge consequences.
I got the impression that all these top guys were great “readers” of people. They were highly perceptive in the interviews and were able to see situations from multiple angles. They were half cyber geek, half psychologist but 100% focused on making every aspect of their business resilient!
In a world increasingly reliant on technology, the security of that tech is of paramount importance. I for one am glad that these guys take such a human approach and feel absolutely safe in their hands.
Here is my take away…. Next time you are handling data at work, irrespective of how “un-important” you believe that data is – think about the ramifications of a “mistake.” Remember, when it comes to technology, you are potentially your company’s biggest risk.