Leading by example: if you don't, you won't be secure
08:00 Wednesday, 10 November 2021
UK Cyber Security Council
As security specialists, we spend a significant proportion of our time educating the staff in our organisations about security - from how to spot a phishing scam to checking that people entering the building are doing so legitimately. And we have all met him or her: The One Too Senior To Conform.
A few years ago, this correspondent was CISO in a 400-or-so-person company. A middle-ranking IT guy walked up to my desk looking very nervous, and asked if I could help him. It turned out that someone had just attempted to tailgate him through the entrance to the building (this was a secure area - you swiped your access card and entered a six-digit PIN), and when my colleague had challenged him he’d said simply: “It’s OK, I’m a director” and tried to push past. Said individual was politely but firmly asked to take a seat in the foyer, and after asking around it turned out that he was a non-executive director along for a board meeting; one of the executive directors was dispatched to collect him and to point out the error of his ways.
How many of us can say that this would happen in our organisations? It takes time and effort to get to the stage where staff challenge visitors - but, most of all, it needs top management backing. In the example above the executive in question took great delight in telling off the guilty NED, because he knew the rules but decided to try to pull rank anyway. We had a great culture: the CEO was generally seen wearing his ID badge on a lanyard around his neck, and I distinctly remember the feeling of satisfaction when I (wrapped up in a thick coat in mid-winter, with my badge therefore covered up) was challenged by a very junior member of staff to identify myself.
But this is how it has to be. “Do as I say, not as I do” has always been a rubbish parenting style, and it’s also a terrible management style. While there will always be perks to seniority, there should be no security perks for senior people. Why would a senior person think security doesn’t apply to them? If anything it should apply more, because they’re the ones who have their identities forged by scammers trying to dupe staff into making bogus invoice payments, and whose user IDs on the finance system have the high-value sign-off privileges.
It's our job as security professionals to get across the message that we need their backing and, in particular, that they need to lead by example. I think back to an organisation that tried to introduce a “VIP” scheme on the service desk; the idea was, that, if you were above a particular level of seniority your trouble tickets were given top priority. It was imparted that such an approach was sub-optimal, on the basis that if the CEO had a problem sending an email he could get his PA to do it, while the service desk prioritised fixing a problem for a junior sales person who was with a client and couldn’t get the million-pound order form to print.
This latter example has nothing to do with cyber security, but the reaction was precisely the one we need from the decision-makers in our organisations in a cyber context: the lightbulb came on, and we had instant buy-in from senior management. In an ideal world, we can reason with senior management and persuade them to support us and to demonstrate that support not just by following the rules but by doing whatever they can to show the rest of the company that they are doing so.
A CEO dropping in a sentence in an all-hands quarterly staff meeting, saying “Someone asked me to show them my ID badge at the door the other day… well done you” has a vastly disproportionate effect on the security posture of the organisation. If the security team has a good relationship with senior management, even better: it can be fun for the “pesky CISO” to get a gentle ribbing from the CFO because the USB port on his laptop was locked down and he had to use a “special” (a secure, encrypted, password-protected) memory stick to transfer his presentation to his laptop.
“Them and us” is unacceptable in an organisation. Senior management must work as securely as the rest of us; if they don’t, we are guaranteed a lower level of compliance from everyone else.