On 6 December 2022, Deloitte published the 2023 Global Future of Cyber Survey. I know I’m late to the party, but it didn’t appear in my feed until 6 July 2023, and I had to build up the courage to read it. I felt like I needed to take my time with this one. In my typical fashion, I’m going to unpick this report, as it relates to the cyber culture:
The future of cyber is coming into sharper focus as organisations worldwide begin to look beyond the tech-centric and threat focus toward the potential positive outcomes they can achieve by deeply integrating cyber thinking and cyber actions across their businesses… Collaboration across cyber, risk management, and business units is critical to neutralising cyberthreats, protecting business value, and sustaining customer trust.
As I read this, I highlighted “toward the potential positive outcomes they can achieve by deeply integrating cyber thinking and cyber actions across their businesses.” A promising start. Cyber thinking and cyber actions, aka cyber culture, where everyone, regardless of their role, or contract type thinks cyber in everything they do. This feels like a cyber first approach across every aspect of the business helps to neutralise threats. The report goes on to say:
Looking ahead to 2023 and beyond, cyber is growing far beyond its technology roots. For many organisations, cyber now weaves more tightly into business operations, outcomes, and opportunities.
A bit more cyber culture! Weaving cyber into business operations is exactly what I was talking about; everyone considers cyber in everything they do. Why?
Cyber initiatives made a significant, positive contribution on at least one key business priority.
The report goes on to say
Cyber brings value to key business strategies—providing the organisation with confidence to try new things, increasing business agility, and enabling efficiency.
And Arno Van Der Walt, SVP and CISO, Marriott says “Projects, initiatives, business objectives can’t be met without thinking through information security and privacy impacts, and having that embedded into the appropriate processes…”
Winning! Cyber culture drives business priorities, and is embedded into the appropriate processes. I can’t argue with that, although from my experience, it’s often missing with the companies I have worked with, which is why it’s right there at the top of my cyber culture process.
Then we move onto the future is cyber:
Today, cyber means business, and it is difficult to overstate the importance of cyber as a foundational and integral business imperative… cyber should be embedded across the broader business strategy. It should be included in every functional area, as an essential ingredient for success—to drive continuous business value, not simply mitigate risks to IT.
Anyone else’s heart get all warm and fluffy? They’re talking about cyber culture again! Essential ingredient for success, I might have to pinch those words for my own flag waving efforts.
While digital priorities and emerging technologies have evolved, so too have the effects of cyber incidents… Even as the organisation’s focus shifts to the positive benefits and long-term business value that cyber readiness can bring, it is important to keep sight of cyber’s core ability to counter cyber threats, mitigating negative business consequences and risks.
No arguing with that. In fact, the report goes on to look more at incidents and the impacts they have on a business:
The frequency of cyber incidents or breaches has been growing, with 91% of organisations reporting at least one, compared to 88% in the 2021 survey.
Operational disruption continues to be the most significant impact of cyber incidents, although loss of revenue and loss of customer trust jumped in the rankings.
I do talk about operational disruptions, and have seen more than a few incident severity categorisations that look at this as a key indicator, but I wonder if we talk about this enough? Only yesterday, I had a conversation with a guy who was building cyber packages for clients, and he talked about % of global turnover penalties. Is it still commonplace to lead with fear, uncertainty, and doubt (FUD)? Handily, the report includes some data on this, so if you're still talking regulatory fines, you might want to brush up on the real consequences.
Now, we move on to maturity. Now this is where I got a bit stroppy. We were doing so well, and I could see cyber culture woven through the first 14 pages of this report, but had I completely misunderstood, or interpreted the contents based on a bias?
While CISOs can serve as organisational champions for cyber, many of these leading practices only become possible through enterprise wide engagement. That can take the form of … Conducting incident-response scenario planning and simulation at the organisational and/or board level … Annual cyber awareness training among all employees
When I read this section, I found myself scrawling “Just this????” across the document, with my highlighter. Perhaps I’m too quick to be stroppy. Perhaps this is a short summary, and it will evolve. Let’s take a look:
The next section is a diagram, and you’ll notice in the examples of cyber activities, it mentions Annual cyber awareness training among all employees. I’m still frowning. What happened to all the cultural stuff I’d identified earlier in the report?
Ah, I found it:
Any organisation, regardless of industry or size, can move toward high cyber performance and maturity. Success should not depend solely on your ability to “buy” maturity through increased investments in cyber. Rather, the actions that you take and the culture that you build will be primary factors for improving performance…. More than half of these leaders (55%) reported that cyber provides them with confidence to try new things… cyber was making an impact on both enhancing trust and enabling efficiency
Now we’ve found more cultural stuff, the frown turned upside down. Cyber culture for the win! Then we move onto an interesting topic, which reminded me of a regular debate I find myself embroiled in:
Trust is an issue of paramount importance when it comes to cyber. As an “ecosystem” that can help deliver outcomes, trust needs to be built with all of your human stakeholders. A trusting workforce, for example, achieves 2x improved customer satisfaction, and customers who trust a brand are 88% more likely to buy again.
A trusting workforce leads to customer satisfaction, and the potential for repeat business. What’s not to love about that? I wonder if you consider worker trust? I’ll be honest, it’s not something I hear mentioned much in the industry, unless we go back to the debate I mentioned.
Have you guessed it? Phishing simulations; to phish, or not to phish? I’m going to take a guess that if you didn’t see where I was going with that, you’re for phishing simulations, and if you could see it coming a mile off, then you’re in the against camp?
Let me share my boilerplate response to the question I’m asked at least every single day: When security teams do not have a good relationship with workers, and vice versa, workers do unsecure things, and security has some form of aggressive interrogation lamp, you are not starting that relationship in a position of trust. If you don't have a good relationship with staff, “tricking” them with a phishing simulation further damages the trust they have in you, leading to fewer voluntary engagements with security teams, a poorer security culture, and security not knowing where the bodies are buried, which costs an organisation, and can lead to organisational disruption. There can be a time and a place for simulations, but these should be a positive reinforcement, and not punishable. In short, phishing simulations can damage the trust between staff and security teams, so if you’re going to do them, do them right.
‘Lessons to learn’ is the next section that piqued my interest:
it may be time for your business to take a deeper dive into questions such as:
Do we have the right technology and partner ecosystem in place—and how can we manage a growing, complex network of third parties?
Are we investing in the right ways and in the right areas—and do we have the right framework in place to understand how and where cyber is adding value across the organisation?
Are we investing in the right ways and in the right areas—and do we have the right “value frame” in place to understand how and where cyber is adding value across the organisation?
Again, this is a conversation I often find myself in; how do you measure cyber culture? Deloitte asks do we have the right framework/“value frame” in place to understand how and where cyber is adding value across the organisation? This goes hand in hand with the measurement of security posture, and is it possible to quantify this? In my opinion, and experience, the answer is yes, but you must look at cyber holistically, and align this to your framework of choice. Where cyber most definitely isn’t adding value across the organisation is through “silver bullets”, or “Annual cyber awareness training among all employees”. When I say silver bullets, I mean expensive technological tooling, or monitoring. If these were the silver bullet, would 91% of organisations report at least one cyber incident or breach? This is where culture comes into play, by deeply integrating cyber thinking and cyber actions across their businesses.
Now, here’s the reason I sat down to write this piece. Deloitte includes a graph on page 21, titled The planning reality, across maturity groups. I believe I first noticed the report on Twitter, with the poster quoting a line from the report “59% of CISOs are doing Security Awareness” and here’s the graph:
I have to say I was more than taken aback by this graph, as the 28 page Deloitte future of cyber report mentions Annual cyber awareness training among all employees, and the word culture a whopping 3 times. While I agree the future of cyber is more than security awareness, I’m genuinely shocked there is so little real estate.
Now, you may know that earlier this year, I and Culture Gem released a “security awareness” product. Since releasing, I’ve had countless challenges on the price point we entered the market at. The general theme is “you’re too cheap”. I set this price point because I made some educated assumptions, based on my experience of the security awareness market, and my cyber friends.
My assumptions:
CISOs don’t really care about the value add that my product brings, so I have to go up against the stack ‘em high, sell ‘em cheap security awareness vendors out there
CISOs don’t really care about the quality of the training they provide to their colleagues, as long as it ticks the box
CISOs would rather invest in the latest tooling, than security culture, and have allocated a tiny % of their cyber budget to security awareness
If you’re a CISO and are offended by the above, maybe you’re one of the few forward thinking CISOs out there, or one of the 59% doing annual training. If you are angered by this, it’s either because you see yourself in this, or you don’t want to be tarred with the same brush. Call up any cyber recruiter and ask them to find you a security awareness candidate, or ask if they are recruiting for any security awareness positions, and the recruiters will tell you they don’t know where to start, because, as much as you might want to say you’re doing more than the basics, the security awareness job market disagrees with you. Deloitte’s report does go some way into validating my assumptions too.
Let me put down my pitchfork, and continue on with the report:
Cyber issues and activities are ultimately about people—whether it is an attacker trying to exploit vulnerabilities, decision-makers responsible for cyber strategies and tactics, or the frontline employees running digital business processes and cyber programs.
If this is the case, then why has this report glossed over people until page 22, where the majority of the content looks at talent acquisition, instead of cyber culture? Yes, talent acquisition in cyber is a challenge, but let’s go back to 91% of organisations report at least one cyber incident or breach. The future of cyber isn’t doing the same old thing, over and over, and expecting different results. The future of cyber isn’t ploughing funds into tooling. The future of cyber is looking beyond the tech-centric and threat focus toward the potential positive outcomes they can achieve by deeply integrating cyber thinking and cyber actions across their businesses, and that can only be done through people (which gets 5 mentions, all in relation to talent acquisition).
All is not lost, page 23 contains the following:
Change in behaviour: The use of automated behaviour-analytic tools to detect and mitigate potential cyber risk indicators among employees has increased significantly. In this survey, 76% of respondents reported using such tools; in the 2021 survey, 53% reported using them.
At this point, I did a little hmmm noise. More organisations are using behaviour analytics tools, than are using annual training. Now, I’m pretty clued up on the cyber behaviour market, and make it my business to be, so I stopped to stare into space, while I tried to come up with vendors peddling automated behaviour-analytic tools to detect and mitigate potential cyber risk indicators among employees. I do know some who claim to be doing this, but in reality, there are one or two vendors who actually do provide this in the awareness or culture change space. I have good relationships with the people within those companies. This report was based on the findings from 1,000 cyber decision makers, and if 76% of those were using one of the tools I’m thinking about, my conversations with those vendors would be very different. Based on this knowledge, I can deduce that the automated behaviour-analytic tools are cyber tools, for logging and monitoring, as opposed to cyber behaviour change tools. Those tools may well have their place, but using only these tools, and equating them to change in behaviour is frankly ridiculous. If I were to lock you into your house, and then say you stayed home, did you change your behaviour, or did I implement a control that forced you to do something differently? If I unlocked your house, would you stay in there, or would you embrace your uncontrolled freedom? A technical control will only change a behaviour when the control is in place. Staff will go home and do risky things, because they have the freedom to do so, and those risky things may, inadvertently, be the cause of your next cyber incident or breach (think password reuse). Perhaps I misunderstand the terminology, and need some education into the world of automated behaviour-analytic tools?
The final section I scrawled over is named Where do we go from here: Outlook. Specifically:
When it comes to adopting innovations, begin with your strategy and understand the technologies available that support that strategy from a cyber perspective—then apply a critical lens. How does the use of a data service or platform, for example, align with your purpose, reinforce your ability to create trust, and open up the organisation to risks and threats? From there, work to apply the right solution for the right needs.
Understand the technologies. Reinforce your ability to create trust. Work to apply the right solution for the right needs, providing it is a technical solution, and doesn’t factor in people or culture.
I found myself considering, as I re-read my words, and the report, if the findings are open to interpretation, and I’m still unsure of the answer. Did I give out all the culture gold stars, because I related the content to something I’m passionate about? Did you read the report and think “they’re talking about pentesting”? Could they have been talking about people, and culture if they only mention culture 3 times?
As I said, the reason I read this report is it appeared in my feed with the words “59% of CISOs are doing Security Awareness”, and I was hoping there’d be more data behind that statistic. If the likes of Deloitte aren’t even mentioning the impact of cyber culture to an organisation's security posture, in the future of cyber, do I hang up my hat now, and admit defeat? You guys have been renewing the same old tooling, year in, year out, yet the number of you facing incidents, or breaches keeps growing. Will there ever be a place for us cyber behaviour and culture change warriors? Will CISOs always deprioritise “security awareness”, in favour of tooling, and does something drastic need to happen before every organisation has a dedicated programme, which at the very least increases that 59% figure?