Mother Teresa once said “We the willing, led by the unknowing, are doing the impossible for the ungrateful. We have done so much, with so little, for so long, we are now qualified to do anything with nothing“.
I bet that is how a large number of digital Security based personnel feel all of the time. It is harder, convincing a CEO / CIO / Board Members / Management team that they need to spend money on digital protection than you can fly to the moon by flapping your arms.
If internal people especially IT managers, have trouble selling this point, external providers have an even harder time doing it. The attitude that external providers are only trying to fill their sales quotas is rampant in the industry. At least that is the perception. In reality, a large number of technical companies are truly trying to get you to protect your organisation from a devastating cyber attack. They know what the bad guys are after and what the organisation needs to do to protect itself, the best sales person is one who is not worried about promoting others products.
That is what a good MSSP is for.
Internal digital security personnel of large Organisations are trying to protect the data and information held within the business. Most of the time they are considered scaremongers. The constant barrage of – it won’t happen to me, we are to small to be a target and we have nothing worth stealing is just what the cyber criminals need to hear. The management team and board members fail to listen to the warnings and signs that the internal experts bring to the table.
That is until it is too late. When the organisation is hit with a cybercrime, there is a major and fundemental change – “How did that happen? Here’s the cheque book – fix it!”
The Internal digital security people are the first to front the firing squad because that was their job. The fact that they were working with outdated technology, misinformed and uninformed management teams and working with underfunded budgets is not the reason – they should have protected the organisation.
The threat landscape is constantly changing. The more technology that is deployed within an organisation to improve data access or conveniance of use, the less security is considered as a business driver. With the addition of shadow IT, IOT, Big data and all other components of data protection it should be a full time job for most businesses, but it is not.
What would speed up the process of understanding that cybercrime is a major problem?
Well I have an idea.
Play a game.
Game play has always had the desired effect when it comes to teaching people solutions to complex problems. Me, I have been a gamer long before computers and consoles became the norm, and I have reverted to my younger days.
When it comes to playing a board game to teach management what “could happen if they had a breach”?
Iis that a good idea? I think so!
Getting through the noise of “what play a game, I don’t have time for that” is also difficult, not to the same level as actually seeing cybercrime as a bonofide threat to the business and a risk to the organisation, but still difficult.
The biggest response we get is “I have more important things to do”. So 20 minutes on Facebook is more important? Not when Facebook could be the agent for getting into your organisation!
Just like other components of the business, priorities are distorted, but only up till it has happened – you know horses and barn door type of thing. Only after the blackmail email, or the crypto locked PC or the eCommerce web site has crashed is there a concerted effort to look at the issues of cyber security. In addition to an opening of the cheque books. This would all be happening in parallel with the large collective covering the arse that is also going on.
When it comes to these sort of problems eastern society has it right – fix the problem before assigning blame. Fixing the problem in this case involves a large education process so that it will not happen again. Once again, a game can educate management to a level where they are confident in what their own people are doing is correct.
Role playing for fun and profit has been around for a while now. It is used in sales and marketing all the way through to Psychologists in today’s world and have been used in those areas since the 1920’s. This has nothing to do with – playing a game is stupid, playing a game is childish, I will learn nothing from a game.
So why not play the game that teaches you the basics of cybersecurity, without you losing your shirt.