Simon Hodgkinson on Learning to Speak Up and Creating a Culture of Risk Management

Regulations serve as a foundational framework for cyber security controls, as evidenced by initiatives like PCI and GDPR. However, punitive measures have unintended consequences, such as a lack of transparency and collaboration when incidents occur. 

A compliance-centric mindset is limited and can result in excessive overhead and ineffective risk mitigation strategies. 

We need a shift towards a more constructive approach that encourages sharing lessons across the cyber security industry, similar to the aviation black box approach. The aviation industry has come a long way in terms of safety precisely because of a culture of speaking up and sharing the learnings. 

Breaches will occur in organisations of all types and sizes. In these cases, negligence is rare. What typically happens is that people do the best they can with limited resources. Moreover, the supply chain for big organisations is a massive challenge. It’s often that the supply chain is hit, not the company. 

There will always be areas of weakness and incidents. What matters is the response and the aftermath. 

Managing risks isn’t primarily a technology problem but a people and process problem. 

Culture is essential no matter the type of organisation. You have to be clear on accountability and ensure the company recognises that cyber security is a business risk.

Risk is not something that can just be handed to the technology function because it’s complex and hard. Cyber risk is something that the C-suite must manage. If you can get the leadership to talk about cyber security, the whole organisation will talk about it.

Strong leadership is essential in fostering a culture of transparency, accountability, and proactive risk mitigation.

But to get the leadership on board and help them manage risk effectively, you must overcome the tech language barrier. 

Businesses constantly struggle to allocate resources across various departments. While cyber security is crucial, it competes with other pressing needs.

The key is to present a clear picture of the potential consequences of neglecting cyber security. CISOs need to bridge the gap between technical risks and their potential business impacts. 

Speaking in terms of malware strains and vulnerabilities often fails to resonate with business stakeholders. Instead, you must frame cyber risks as tangible consequences, including financial losses, reputational damage, or operational disruptions.

Imagine a scenario where an outdated server, nearing its end of life, is flagged as a security risk. Merely stating this technical fact might not raise eyebrows. However, explaining the potential business impact — like a complete system shutdown leading to operational disruption and financial losses — paints a more concerning picture.

Businesses can only make smart decisions about allocating resources and managing risks when cyber security professionals translate threats into real-world consequences. 

Operational resilience, meaning the ability to bounce back from cyber attacks, is crucial. Traditional security measures focused solely on prevention are not enough.

Firstly, unlike most crises, cyber incidents can affect all aspects of a business. That’s why organisations need to adopt a broader approach, ensuring that all departments, including legal, communications, and leadership, are prepared to respond effectively.

Secondly, resource limitations are a common challenge. Companies may struggle to staff a response team capable of handling a major cyber attack for weeks. Therefore, planning and drills, well-defined playbooks outlining incident response procedures, and tabletop exercises are all essential.

Recovery plans shouldn’t solely focus on application security. You must address the foundation, including switches, routers, and other critical infrastructure, to ensure a quick restoration of operations after an attack.  

While resource allocation is challenging, putting immediate profits over investments in cyber security can be detrimental in the long run.

Focusing on short-term gains can lead to situations like the 2008 financial crisis. Businesses must learn from mistakes and adopt a long-term perspective, which includes investing in areas like cyber security to ensure future stability.

A proactive approach to cyber security helps leaders achieve sustainability. 

At Chaleit, we are also believers in a proactive attitude and bring it to all our client engagements. Follow us for more insightful conversations with industry leaders, and let’s connect for long-term benefits.