To ensure that security efforts truly permeate the entire organization, clear commitment from the top is required. Here, Verdan's CTO, Henrik Berg, and Cybersecurity Director, Thomas Baasnes, both with extensive experience in leadership and information security, explain how you, working in information security, can convince leaders of the importance of investing in systematic information security work.
Leadership and culture in cybersecurity
- Security doesn't just arise locally in a single department. It will never become a true part of the company's culture unless the management takes it seriously. If there are no demands from the management and board level that security is important and should be followed up on, it becomes a secondary topic that might not receive enough attention, says Henrik.
In addition to his role as CTO at the private equity firm Verdane, Henrik has over 20 years of experience in executive teams and leading development teams. His colleague, Thomas Baasnes, primarily assists Verdane's investment team in conducting cybersecurity due diligence before and after investing in a company. Thomas sees a clear difference between companies that are more and less mature in their information security work related to leadership:
- It's a make it or break it factor. We have seen that those with a high maturity level in their security (in terms of people, processes, and technologies), and a strategy and leadership that understand its importance, find it much easier to build Security by Design rather than doing it gradually only when it starts to become critical, says Thomas.
Leaders must remember that they set the tone for the organization's security posture, establish the culture, and allocate resources. If they don't care, why would the rest of the company care?
How to get management to prioritize security work
As a CISO, or other security personnel, it's important not to give up but to focus on what can be done. If security is important for your company, and the management doesn't understand it, then the message has been lost, which could be due to a lack in communication. Don’t forget that the management deals with a multitude of other priority areas. Therefore, it can be difficult for them to invest in something that feels like insurance for something that might never happen, explains Thomas:
- I often hear about reports that go up to the management, where, for example, it's stated that ransomware has increased by X percent. Scare tactics emphasizing that once it happens, it's over and the company goes bankrupt. These are absolutely valid points, and I think all companies will be affected, but that type of communication rarely works well.
That's why we in the security industry need to start looking at this in terms of effects and results, rather than scare tactics. Argue with facts, for example, highlighting:
- We have lost X number of deals in the past year because we were not ISO certified or compliant with Dora.
- We have used X much more resources because our customers ask if we can demonstrate compliance, which means we have to spend a lot of time answering questions related to this.
- We see that our target group will introduce stricter requirements in X years, and then it will be difficult for us to be competitive if we don't act today.
- Talk business from a technical perspective. Explain to the management what it costs in money and lost sales. Use the carrot instead of the stick. That way, you will reach the management much more effectively, believes Henrik.
Increase knowledge about security with awareness and training programs
It's common to start an awareness and training program to kick off the work on information security. Unfortunately, it often becomes merely a compliance exercise that has poor effect because a lot of activities are initiated without proper thought. Therefore, here are Thomas's best tips on important questions the company should ask itself before the work begins:
- What is the purpose and goal of the program? Do we want to strengthen the culture? Get all employees to understand their responsibility related to security? Increase knowledge for specific roles in the company?
- Who should we target with this? It could be all employees, or specific functions like HR, the development group, leaders, super administrators, or system owners.
- What type of training is needed? Consider the target audience and what they actually need.
- What tools are required to effectively drive the activities? Do we need to subscribe to any training platform, for example?
- How do we measure the success of the program? Don't throw money away, measure it!
Summary: 3 quick takeaways to remember
- Security culture must be placed on the management's agenda. You do this by focusing on how security can support business results.
- When implementing a program to enhance culture, awareness, and knowledge, consider why it should be done, how it should be executed, and who the target audience is!
- Regular evaluation of the program is necessary to ensure that it is effective and achieves its goals.
This text is based on the conversation between Verdane's CTO, Henrik Berg, and Cybersecurity Director, Thomas Baasnes, in our webinar on cybersecurity, on November 16, 2023.
Do you want to know more about how Stratsys can assist you with your information security work? Read more about our product Information security & Privacy here, or contact us directly and we will be happy to tell you more.