Digital security, cyber security, or just security. It doesn’t matter what your policy is called, the facts surrounding security remain the same: It’s a day-to-day struggle for businesses because of the huge increase in hacks and breached systems, including mobile and IoT devices. Only 5% of business portfolios are properly protected and 68% of business leaders feel their cybersecurity risks are increasing. Is your security policy properly addressed? I this episode, I share what my 20+ years in digital policy has taught me about structuring the right security guardrails.
Hello everyone, and welcome to this month’s overview episode of The Power of Digital Policy! Today I want to talk about digital security policy. Because well, security has become such a central point of digital. Or rather, the data breaches and data leaks have become the central point of discussion.
Digital security, cybersecurity, or just security. It doesn’t matter what your program is called, the facts surrounding security remain the same:
If you haven’t yet been a victim of a security breach, don’t count your blessings quite yet. It takes, on average, 206 days to detect a breach, so your turn is coming. And by the way, once you do discover the event, it will take some time to clean it up. The average lifecycle of a break from the time the breach occurs to containment is 314 days, according to IBM. Oh, and the average cost of a data breach is $3.9 million, or $150 per stolen record.
Is your head ready to fall off of your shoulders yet? Security isn’t just always-changing; it is challenging as well. Most businesses relegate the risk to the Chief Information Security Officer (or CISO) or somewhere in the pit of IT. But doing so doesn’t do justice to digital security. After all, with cloud solutions and the marketing team managing more of the martech stack every day, security needs to be an all-hands-on-deck activity. In other words, everyone needs to have responsibility for security, even though there might be one person stewarding security and living with the ultimate accountability.
I often am asked who in the organization needs to own digital security and how does that line up with my idea that there ought to be a single “librarian” for all of the digital policy. I certainly believe we should extend legacy roles, such as those of a CISO, into new digital channels such as AI and VR. But a lot of times, CISOs are busy with enterprise security and are not on the front lines of digital development, which is where the digital policy steward can play a critical role. Therefore, a strong partnership between the digital policy steward and other functions, including those of the CISO, need to exist. But remember that even those two roles can’t address security in a vacuum. You also need to have the human resources or training department on board so that employees are receiving the right level of training, and the rest of the digital community needs to either serve as trigger points or as recipients or both, for security policy information.
And since we are talking about security policy information, let me suggest that one of the key problems I see with organizations right now, is the lack of comprehensiveness in creating a digital policy program. Most enterprises create a policy, stick it into the policy library, and mandate employees to take once-a-year online security training. The training comes down to the individual previewing videos and answering a quiz, where if they pass 80%, they get the certificate and move onto business as usual for the next year. This approach is great for compliance but does nothing for your security practices. It doesn’t make you any safer than before the training cycle began. What is my issue with this type of training?
I think it is a great time to rethink security policy and do it in a much broader context that reflects today’s digital realities. When I work with clients, here are some of the things that I consider in order to get closer to a good baseline policy and practice.
Measurement and violations
Nobody ever seems to want to discuss the measurement of digital policy. I realize it is the spinach of the policy world, and everyone wants to eat it last. But like spinach, measuring digital security policy is healthy and good for you. So, try making your measurements easy to swallow. I recently did a fun experiment with a client, where we unveiled a pilot way to educate digital workers around security policy. Rather than having those “next-next-next click” training modules, we integrated security tips of the day throughout the digital world. Think your content management system welcome screen, a GitHub tip of the week reminder in the Slack channel, and impromptu free ice cream giveaways for workers sharing their tip or good security practice. We were able to measure security message penetration into the digital workforce. Did it prove useful? It did from a knowledge perspective. We haven’t seen as many violations of security, but it is early and hard to prove a negative. But the initial feedback from employees has been that they are having fun with the new model, it is not disrupting their work patterns, and they are learning more about security. How’s that for spinach?
Roles and responsibilities for triggers, reviews, and updates
Protection and breach detection
Contingency planning and business continuity
Most everyone thinks of contingency plans and backups as a separate policy. They are, but they are often triggered by a security event or the need to respond to a security event. So when you are pulling together your policy, make sure that the practical practice areas consider this intersection and that the security policy addresses or points back to the contingency planning and business continuity.
Make no mistake; I am not a security expert, which is why I partner with those who are and can bring the security subject matter expertise to the policy development discussion. And one of the key voices that every organization needs to consider is that of a cyber insurance expert. Insurance is one of the most overlooked areas of policy, and yet it can bring tremendous benefits and comfort to the organization.
This month, as part of the digital policy security discussion, I’ve invited Courtney Hensley to the podcast. Courtney will tell us why insurance needs to be considered for every business, how little it actually costs, and what aspects of insurance you should be thinking about (and telling your C-suite about!) in order to help the business properly balance the risks and opportunities of digital. Join me next week as we learn all about the digital insurance realm.
Until next time.