CovertSwarm is a modern and growing cyber security business that defends an increasing number of global organisations. As part of our mission to improve the world’s cyber security we wanted to take a moment to share our answers to a number of common questions we have been asked during our engagements with the wider business and cyber communities.
Does the following sound familiar?
You have already heavily invested in offensive and defensive cyber controls:
· Penetration Testing
· Red Teaming
· Ethical Hacking
· Security Operations Centres (SOCs)
· Web Application Firewalls
· Vulnerability Management
· Vulnerability Scanning...the list goes on.
Despite all of this you are still struggling to get your team and wider company engaged and onboard to recognise and support necessary cybersecurity initiatives.
If this describes your security culture challenge, then this blog is for you.
How can I get my team, and company, better engaged with cybersecurity?
We have presented a number of ideas and novel approaches to get people engaged and striving to deliver a stronger security posture for their businesses.
First, you need to achieve Board (or at least C-level) commitment and appreciation for the criticality of constantly improving your cybersecurity posture.
Without this, as in a top-down approach to cyber, you will fail.
No matter the size of your organisation or sector, protecting your company from cyber attack must be on the Board’s agenda. Every company harbours data that is sensitive and should not be in the public domain. Each would agree that it is worth protecting. Whether it be intellectual property, customer information, payment data – the data has a value to someone, somewhere and threat actors are relentless in their desire to exploit this value.
How do I obtain Board level buy-in for cybersecurity?
Make it real.
If you can show actual points of compromise – how you will be breached and how this will impact the company’s performance and shareholder value. Your Board will start to listen.
1. Show actual damage to the company - not textbook examples.
2. Demonstrate Financial Impact - numbers speak volumes.
3. Provide examples of a breach hitting the shareholders personally in the pocket - EBITDA and shareholder value impacts are impossible to ignore.
The moment you have made the risk real, rather than anecdotal, you will have them engaged.
Make this your primary objective and sole focus: if you don’t have commitment from the top you will not succeed to protect your organisation from cyber risk.
What approaches can we take to ‘gamify’ security and reward security best practice?
You need to incentivise the right behaviours.
What you want to achieve is a culture of ownership and ‘find it, fix it, protect our clients/brand’ approach.
It will always be preferable to find your vulnerabilities before a genuine adversary does.
In doing so you are helping to protect the company, educate your staff and raise awareness.
One area in which CovertSwarm has seen this work well is via an internal “bug bounty” program:
· You look to incentivise individual findings, with a sliding scale for reward based on critically.
· Due to the privileged position internal people already have – you need to put clear rules and guardrails around such an internal program.
· You could for example run a leader board with prizes awarded within given a period.
· This should never be a distraction – it should be an incentive to find vulnerabilities, risks/issues – things your team didn’t yet know about and highlight/fix them.
For example, you could pit team against team.
Such a program could be extended outside of just security – think of wider bugs, issues, code quality, improving performance with the ultimate aim to enhance customer experience and team understanding.
Should we be sending our people to security events and security training?
Provided there is a direct business benefit and that there will be skills enhancement leading to improved identification of vulnerabilities and risks.
One area we’ve seen that work is using real world examples from your organisation’s codebase or infrastructure architecture as to how genuine breaches, vulnerabilities, and exploitation could occur.
This ‘wow’ moment is key to gaining interest, motivation and a passion for improving cyber security within your team culture.
How to empower Security Champions to take initiative?
You may be the Information Security Manager, CISO or just the nominated person responsible for cyber security at your organisation.
You are struggling to get engagement and are unsure as to how best empower your internal security champions to take initiative.
Stop making it about you and it being your problem.
This is an organisation level problem.
As mentioned already, first get Board / C-level buy-in.
Until you have this you will struggle to get anyone else aligned, it will be an up-hill struggle. It has to be driven top down.
Once achieved, you must create a culture of “ownership”: security is everyone’s responsibility.
“We all have to protect the company, from all aspects, including the risk of cybersecurity exploitation.”
The “that’s not my job” mentality is toxic and invariably leads to a destructive culture. So, how do you empower your security champions? Make it engaging, rewarding and exciting.
“Something we all do together, talk about and collaborate on.”
How do we create a north star for security? We've agreed some objectives but how do we feed these into an overarching goal that we're striving to achieve?
First ask, what is your C-suite or company’s north star?
Filter down from that to set the Security North Star - and do so by working with the C-suite to articulate and monitor this ongoing.
For example, your Security North Star may be something like:
· Be the most secure online brand, whose customers implicitly trust with their data.
· Work hard every day to help customers be more secure when using your services.
Your organisation has a valued and TRUSTED brand that customers support:
1. They trust you to provide a quality service or product.
2. They trust you with their money.
3. They trust you with their identifies.
4. They trust you to continue to improve and drive value for them.
5. They trust you to meet your commitments.
6. They trust you to deliver on time.
If they lose trust in your security all areas of trust are impacted – it all falls.
Remember that you continue to be a target for attackers – and that they pose a genuine and serious threat to your business, its staff, clients and suppliers.
Remind your C-suite, and teams that we all need to work hard every day to protect what you have.
The critical point is that this needs to become part of your regular internal messaging: “We are all in this together and we all share collective responsibility.”
How can CovertSwarm help?
We have a collective approach to delivering our Constant Cyber Attack service.
CovertSwarm was founded with this ‘Why?’
To continually challenge, improve and modernise what inevitably become ‘traditional’ approaches. To work with ambitious, diverse and energised people who we invest in, inspire and mentor to realise the impossible, together.
We can support your internal bug bounty and security champion programmes and provide the constant ‘eyes on’ approach to cybersecurity that you need.
We emulate the techniques and approaches of real threat actors, constantly, and deliver the ‘wow’ that will engage your teams, C-Suite and Board.