What has been the strategies used to maintain the business’s buy in and support for cyber risk management (in particular things like mandatory training) and how successful have they proven over time?
You need to gather some stats that showcase the risks for Executives. Highlight with data the instances where the highest risk is with staff and the attacks using direct methods. If you have the tools, activate a simulated attack to highlight how many staff “clicked through” a link from an email.
To get staff buy-in we use Mimecast training modules. They are short (5 mins max), funny and get the messages across. We have approximately 80% month on month completion of the training. I was expecting numbers to drop but because they are funny staff keep coming back.
In my experience, you have to start with Management understanding that all cyber risks are - like every other risk - ultimately business risks. We’re not operating an IT shop here for our own entertainment, it’s all about delivering business value.
So you’ll have your regular risk meetings with the executives (for example, the quarterly Board Audit Committee) where all high-level / rolled-up risks are presented, discussed, and either accepted or requests for more risk treatments are made. As part of this process you may have to present your risk report to the leadership team in advance, or to a selected group of executives.
The Board or the executives may want to know why the cyber risk is, in total, rated as “extreme” and you’ll have an opportunity to drill down. Staff aren’t completing their training? Those risks are assigned to the business units that don’t enforce it. Business is putting projects into production without a security review, without mandatory controls, and so forth? That’s a risk that gets assigned to the business unit, and so on.
At the end of the day, each executive who heads up a business unit will own some number of risks, and they have to explain to the Board why that’s okay (and to be fair, it may be perfectly okay - no business runs without risks, well-run businesses actively manage those risks). Your friends in Audit may be very useful here if you know what the risks are and have the paperwork to demonstrate that they’ve been reported to the business units in a timely fashion.
If the CISO winds up owning more than a trivial number of risks, then something has gone very wrong in this process.
I got my exec team to think about ‘what if’ scenarios.
For example I asked our CFO to tell us what would happen to the company if our product (revenue source) became unavailable for say 2-5 days.
This force him and the COO, CTO to think about dire events e.g. failed SLA agreements with customers, halt in inbound cash, possible breach of contract suits etc etc.
I found that a lot of execs initially are dismissive of risk considerations or superficially assess it. But forcing them through a ‘what if’ make them think it through.
Another example, I asked the CTO was ‘what if’ we had no backups and were hit with ransomware. He stated it would take six months to resurrect the service, CFO said $4m loss, CEO fell off his chair.
In summary, what you need to do is get C level to think about what go wrong and what is the impact.
One example I used, Ansett (remember them?) look what happened when aircraft were grounded. yep out of business. You then use a related example like that back to your business.