Know the Risk and Motivation for Resistance
Risk is inherent in every decision that a person makes in life. When you cross the street, you might be run over by a bus. Eat at a restaurant, you might get food poisoning. Risk is everywhere, especially in business. In this article, we’ll look at different methods for understanding and communicating those risks, especially in the face of resistance.
Understand the Risks
Every company has different top risks, as does every department within each company. Banks want to protect their clients’ money. Technology companies must guard their trade secrets. Hospitals must secure patient medical records. Sometimes there are risks that nobody has thought about yet. Sometimes a few people have thought about it, but leadership hasn’t taken an active interest. The first thing the cybersecurity manager needs to do is to discover the biggest risks the company faces. The best way to do this is by interviewing people inside the company. These conversations can uncover risks leadership may not be focused on but should be.
Find your biggest single points of failure in your company and make sure management knows about them.
One fairly large company we worked with, for instance, had a few thousand staff and a few hundred million dollars in turnover. They had a huge enterprise resource planning (ERP) system that was integrated with their production—nothing worked without it. The ERP was mission critical, but there was no replication, no redundancy, and no backup system. If the system broke, physically or otherwise, they were shut down until they could fix it and make it work again.
Several people at the company knew about this, but management didn’t register it as a major risk. They didn’t do anything about it for many years. Why? Maybe they weren’t so interested in the company’s operations. Maybe they were more interested in their own sales. Maybe they didn’t worry about it because they thought the ERP had been there for twenty years and worked just fine, so why would it break down now? Maybe they just had higher priorities. If you asked management in that company what the biggest risks to the continuity of their business were, they probably wouldn’t tell you that the ERP was one of them. All the while, the company’s existence depended on the efficient functioning of the ERP system. These types of risks—risks that could cause the company to go bankrupt—need to be identified first.
Lesser risks might be those that cause the company to lose efficiency or spend extra money or effort to operate certain systems or machinery. For example, IT is often perceived by management as a way to do things more efficiently than the competition. When the computers go down and the company loses the benefits of IT, their margins erode and their advantage over the competition is reduced, but they don’t go out of business right away.
This is the language the cybersecurity manager needs to use when talking about IT security and systems downtime. The cybersecurity manager shouldn’t suggest that the IT systems will never work again. They need to focus on the margin issue: the company will get slower at serving its customers or might not be able to serve them at all until the system is back up and running. Learn to speak the business language. Explain your security issues in terms of money, resources, and time, so management will understand it’s not just about security—it’s about running a company profitably.
Focus on the Most Relevant Risks
If the cybersecurity manager wants to be influential at their company and relevant in their work, they need to focus on the risks that are most relevant to that business. The CEO understands the specific risks the company faces. Whatever the CEO considers important is equally important to and must be understood by the cybersecurity manager. That doesn’t mean the CEO is always right; the cybersecurity manager may need to educate the CEO (or CTO or CIO), but achieving alignment is essential because the cybersecurity manager needs the high-level support. We can think of the CEO as an internal customer—the customer is not always correct, but they must be understood. cybersecurity managers should listen a lot at first, ask many questions, and learn how leadership perceives the situation. If the cybersecurity manager achieves alignment with the CEO and acts accordingly, the cybersecurity manager will be successful.
If there’s no communication, that alignment is unlikely. In one case we witnessed, a security manager tried to buy a physical security access control and burglar alarm intrusion-and-detection system for the company’s offices. The first offer the cybersecurity manager got was four times more expensive than the cheapest system. The cybersecurity manager, who was focused on the risk of a physical break-in, decided it was worthwhile to buy the more expensive system. The CEO, on the other hand, considered this purchase a way to be in compliance as inexpensively as possible. He preferred the cheaper system. In this instance, the cheaper one probably met the company’s expectations and requirements better. In the end, the CEO decided to go with the cheaper option.
In this case, the cybersecurity manager did not adequately understand the goals and objectives of the CEO. The CEO’s objective was compliance, while the cybersecurity manager’s goal was optimal security. They’re different. cybersecurity managers can take a simple lesson from this: they must communicate with company leadership and discuss risks internally. The cybersecurity manager should always investigate the company leadership’s priorities.
Fallout from Risks
When cybersecurity managers begin to identify risks, they should think about what category of risk they’re dealing with. Is the company worried about losing the secret sauce, the data, the trade secrets? Or is their main worry an interruption in the manufacturing line? If the process stops, how big of a problem is that? Is it a financial risk? Is it a legal risk?
Sometimes the staff or teams will not be able to articulate their biggest risks. Discussing examples with them can help them identify risks that apply to their company or their department.
Here are examples of risks and how they materialise:
Any company that manufactures goods knows the risk of the line shutting down. When the line stops, that costs money. There are myriad examples of production interruptions that can cause complicated problems up and down the supply chain and lead to massive losses.
Or if a company manufactures industrial paints, what happens when they need to print shipping labels for all the places the paint is going—and the printers fail? If the printer doesn’t spit out the labels, nobody will know which lorry to load the paint onto. They could wind up with empty lorries waiting outside and a full warehouse of paint inside since production doesn’t just shut off immediately. They need some kind of redundancy or backup plan.
Manufacturing interruptions come in all shapes and sizes. But almost all of them are time-critical.
Logistics is a risky business on a good day. Companies deal with constant deadlines, uncontrollable weather conditions, mechanical malfunctions, and a thousand other risks every day.
Let’s say a logistics company has to deliver parcels for a client. The package someone sends to their friend goes through a huge automated facility where the parcels are sorted and put onto lorries, with lorries always coming in and out.
Now let’s say a design error in the network and a DDoS (distributed denial of service) attack hits the network. It prevents not only external data communications but internal channels as well because the same network was handling both internal and external traffic. The system is at capacity and cannot handle any more data.
That plant can’t run. Nobody can deliver parcels. But lorries will keep arriving. They keep offloading parcels into the facility. Meanwhile, automated sorting lines won’t run, and machines won’t sort. The lorries are full but can’t leave. Within hours, the facility is overflowing. Now imagine if that one facility handles about 70 percent of all parcels in that small country. It could be a major disruption to the economy.
This nightmare scenario is not unusual in logistics. The risks in logistics are high, and backup plans are critical.
Subscribe To Our Newsletter
Get the latest intelligence and trends in the cyber security industry.
Break the Cycle
Companies can get used to having business interruptions. Operations break down, they find someone to blame, they fix the problem, and they wait for the next time. It’s time to break that cycle. Find the most severe problems and fix those first. Even if you can’t fix them, you’ll at least see the next crisis coming.
If companies fail to prioritise business continuity risks like the above, they’re at least as likely to overlook “external” risks like the potential loss of customer data. We once worked for a company that should have known better; they provided healthcare services for private individuals. The company was developing better IT services for its customers—solutions that would monitor their operations, compliance, and security systems and notify them of any event that looked like a breach. Great idea but for one problem: they stored all the information in a centralised log system and left it wide open online.
Someone in the public stumbled on the problem and notified the company. It turned out the developers had left the communication ports in the firewall open. All anyone had to do was connect and download; no username or password necessary.
Too many companies fail to understand what they’re doing when they use virtual servers. “The cloud” is a mystery to them and one they may not investigate until it’s too late. In this case, the situation lasted over a year. Because the company had no way to know if something was or wasn’t stolen, they had to live through the nightmare of notifying every single customer.
Compliance, even when intended to prevent problems, can actually create more disruptions than it solves. In reality, companies rarely benefit from compliance outside of being able to market themselves as compliance-certified; it seldom helps secure the company. Worse, it doesn’t even have to make sense. For example, we once worked with a company that provided IT services for many companies all over the world. They wanted to make sure their vendors followed proper compliance, so they conducted frequent facility audits. They would send auditors to inspect the data centres and make sure they were compliant.
A problem arose when compliance declared that there couldn’t be any external people (i.e., the auditors) inside the data centres—only internal people were permitted to be there. Ironically, the company would fail to pass compliance because there were too many auditors auditing their facilities. This is a strange but telling example of compliance risks in IT.
Whether requirements come from laws, contractual requirements with another company, or internal requirements, companies should try to follow them, especially in IT. The bottom line: you can’t ignore compliance.
Apply Standards Situationally
Compliance standards require cybersecurity managers to do certain tasks and take certain cybersecurity measures, but not all of them are necessary all the time. If the cybersecurity manager can demonstrate that a requirement is not applicable to the organisation because there’s no risk, they can save time and money because they won’t need to implement it.
Consider the example of the Russian company that handled credit card information without addressing requirements specified by the American credit card company that hired them. They looked at the list of requirements, threw up their hands, and did nothing. The American company was incensed; they threatened to cancel the deal.
Should the Russian company have checked every box on that list? Maybe not. It’s possible that they could have avoided that by analysing the requirements to see which were truly applicable and which were not. By documenting the reasons some steps were inapplicable, they might have been able to reduce the number of tasks on their list. Then, in communication with the American company, they might have been able to complete only those items.
Compliance is mandatory, but sometimes it’s malleable too.
Financial Records Breaches
The banking and finance industries are based on trust. When a financial institution has a breach, it goes to the core of the business—they lose customers’ trust. Let’s say a wealth management company or small bank loses their client records. The people who came to them to ensure their wealth was safe, secret, and exclusive may now leave. New customers may be reluctant to come on board. That’s why the banking industry is the first to implement security measures.
This happened with the Panama Papers scandal. You may recall this hacking incident from news reports: millions of documents containing detailed personal financial information on wealthy individuals, and government officials leaked to news outlets and the public. Some documents included information on banks that were illegally helping their powerful clients hide money and avoid taxation. After that data leak became a public scandal, potential customers shied away because of the leaks. Not only did wealthy people avoid the organisations involved, and likely pulled their money, but average people avoided them, too, because of the perception that they were participating in shady tax planning.
External Provider Dependence
Human Resources maintains employee records with very personal information: salary, social security numbers, banking information, and so on. Because the employer has to store this information for employees, they are responsible for storing it securely.
At the same time, payroll and other management tools used in HR are often outsourced to external service providers. The risk is clear—if there’s a leak or data breach at the provider, the company could lose their employees’ personal information.
This would be a disaster. First, the company would face fines. They may also be required to acquire credit monitoring services for every individual whose personal information was subject to a leak. Companies can also get sued for enormous sums by their employees, with the amount varying by country. (The United States and Germany have exceptionally high fines.) The financial impact can be huge, not to mention the impact on the company’s own employees in terms of reputation and esteem.
In today’s world, most companies are part of an ecosystem of companies that provide resources to each other and drive responses from each other. Acknowledging this interdependency is powerful. Use it to build trust.
Credit card fraud is common in retail. Companies use payment systems from specialised vendors which may or may not be secure. They might acquire a payment system for cashiers, for instance, which includes a point of sale (POS) system, so the customer can pay with a credit card.
Criminals are breaching these types of networks by phishing or other means. Once they gain access to the network, they create specialised malware for these POS devices. The malware collects credit card details and transmits them out to the internet for criminals to save and store for later use. Then the criminals sell that data to third parties who use it for illegal, online, card-not-present purchases.
Then the shop and the bank that issued the card argue over who’s to blame and who should pay. If there is $50 million in total annual credit card fraud at the bank, who should pay? The bank or the processing company? Or the careless customer who didn’t take proper precautions? The costs can be huge, even before the company begins to address the cost of solving the breach and replacing all the stolen cards. The feuding parties will likely try to come to some kind of independent agreement because the last thing a company wants to do to solve their business issues is air them in court. That’s bad PR for everyone.
Security Q & A
Q: How hard is it to enter a store in a retail chain and find an unprotected computer in the company network?
A: Not very difficult. One team sent to test this vulnerability was able to gain access 100 percent of the time.
Intellectual Property Theft
A startup that’s building an entire business on a single proprietary technology has the potential for high reward but also has high risk. The biggest risk is intellectual property theft. If the startup loses its secret sauce, whether it’s hardware, software, medical, biotech, or some other trade secret, that could destroy the competitive advantage and ruin the company. For example, consider a silicon chip manufacturing company with a proprietary process for producing precision chips used in sensors for cell phones, smartwatches, and even satellites. They succeed because they own the intellectual property behind that innovative technology. If someone steals it, they steal the innovation and deal a death blow to the business.
When a startup relies on a single technology, the risk is incredibly high. If they lose it, they lose everything. Startups usually don’t have much support available. They don’t have a massive database of clients yet or a complex network of relationships or partners they can rely on. The value of most startups is the technology. It must be protected at all costs.
Resistance to Change
There are so many risk scenarios that can be mitigated by well-executed cybersecurity management, it might seem like an easy sell. Still, it would be unwise for a cybersecurity manager to boldly walk into a staff meeting one day and announce, “We are revamping all the security procedures in this department, implementing a bunch of new security processes, and changing the way you’ve been working for the past ten years.”
No matter how strong the case for change, people will resist, either because they fear new things or they have come to rely on the consistency of their old ways. Or both. Not everyone admits it; some people outright deny that they fear change or try hard to downplay their discomfort. Others get angry. When a cybersecurity manager encounters resistance to a new policy or procedure, they should try to find the psychological root cause. If the cybersecurity manager understands what drives a person, they will be better able to address the underlying issues. Here’s how:
Use the Right Reward
One way to determine what motivates people is to notice how they like to be rewarded. Different employees respond to different rewards for a job well done. Some appreciate being given more freedom and fewer rules. Others value getting more time off to spend with their family or to work on pet projects. Some people seek safety; they’re motivated by reliable forecasts about what’s going to happen in the future. Some want to get information before others. Many people are motivated by money, while others are inspired by awards and recognition.
If people are motivated by money, the cybersecurity manager might emphasise that a more secure company means more secure jobs. Others might be motivated by safety and forecasting, so the cybersecurity manager should explain how the new security measures ensure there won’t be any surprises. For people who are motivated by having more freedom, the cybersecurity manager can show how the new security measures will give them fewer hoops to jump through. In all cases, the cybersecurity manager must employ empathy to understand how people feel, not to manipulate them but to serve them better.
Change Is Good
If you can explain to the person why a change is good for them personally, they usually accept it. It’s even better if they figure it out themselves.
Sometimes, all a cybersecurity manager has to do is ask, “Can you tell me what do you do in security in your job?”
After they answer, most people are ready to get on board with the proposed changes.
The attention is a type of reward.
Too many security managers think of their job as just writing up policy and procedures: “Don’t click on links in emails from unknown senders. Change your password at least every thirty days.” Then they put those policies on the internal network and hope that people read it. And that’s about it.
That’s not enough. You have to explain the why as well as the how.
If a company just wants to meet the compliance requirements and provide some training for employees, a list of procedures might be enough to protect them from getting fined, but it won’t actually make the company safer or change people’s behaviour. People seldom act differently unless they know why they are being asked to make the change. The cybersecurity manager must help employees understand that they have shared goals. They all want to make sure that risk is minimised; the cybersecurity manager wants to secure the organisation, and so do the employees. The policies and procedures are intended to help everyone meet that goal.
One way to demonstrate this is to give a detailed example, like hackers who get in through malicious emails and phishing. The cybersecurity manager can explain to employees how these attacks work by offering an example: Say the probability of a single user clicking on a phishing message link is fifty-fifty. Knowing that, the attacker is able to calculate how many messages need to be sent to have a 95 percent probability of success. So they might send twenty messages to different employees with high confidence that someone in the company will fall for it. One employee will click, and that’s all it takes. That’s why everyone has to be trained well. Examples like this can help employees understand that there is a reason for every security policy.
Let the Numbers Speak
We recommend coming up with two numbers to help explain why security policies exist and must be followed. The first number is how much can be lost, and the second is the probability of losing it. If, before security training, 80 percent of employees click the link in a suspicious email, but after awareness training, only 20 percent click the link, we’ve reduced the problem quite significantly. This reduced risk actually creates a financial gain, in a way, by avoiding losses.
Using numbers, the cybersecurity manager can demonstrate that, compared to the cost of a breach, training employees is actually quite cheap. It’s probably well worth spending $10,000 for training if the risk is reduced by 60 percent. Using that sort of cost-benefit analysis, mapped out in risk language, can help everyone understand that security training is a wise investment.
Every cyber risk can and should be translated into risk language and numbers. The numbers don’t even have to be exact. Ballpark numbers work. Without understandable quantification, few people will take the threat seriously, even fewer decisions will get made, and little change will occur.
Coping with Resisters
Cybersecurity managers in large companies generally interact with three different types of people: those who help them and get on board right away, those who go along only if others do, and those who resist. The resisters are the most difficult to deal with. If a cybersecurity manager doesn’t do anything about the resisters, they’re in for a tough battle, and they might even fail. Ignoring naysayers is the worst thing to do. Instead, cybersecurity managers should identify those people and turn them around, so they won’t interfere and might eventually come to help.
The first step with resisters is to identify and acknowledge them. This step alone may resolve tensions. If the resisters still don’t change their behaviour, though, the cybersecurity manager might need to go to a superior to establish authority. If the boss communicates the need to staff and lets them know what’s coming, it creates a sense of inevitability around the change. If the person knows the change is going to happen anyway, they will realise their only choice is whether to help or not.
Nobody wants to be the last resister.
Parents understand the value in teaching kids that some things are just inevitable. Instead of asking, “Are you ready to go now?” they’ll say, “Okay, we’re leaving for grandma’s house in five minutes. If you don’t get dressed right away, you’ll be riding in the car in your jammies. We are going to grandma’s house.” The kids usually get dressed. The interaction doesn’t have to be uncomfortable or threatening, just a statement of inevitability. If it works for kids, it usually works for everybody else.
We recognise that it’s never an ideal situation if the cybersecurity manager has to go to the boss, but sometimes it’s the only way. If the change the cybersecurity manager is proposing is important for the company and will address significant risks, it should be a joint effort that everyone gets behind. At the very least, no one should be interfering. The bottom line is, someone who is making security more difficult poses a threat to the company.
Motivating people who resist that change is a necessary part of the job. The more experience a cybersecurity manager gets, the better they will be able to navigate change. In the end, the work the cybersecurity manager does is for the good of the company. Eventually everyone will realise that and get on board.