While being aware of potential threats is critical, it doesn’t automatically mean an organization is prepared to deal with whatever crisis they encounter. Too many organizations are made up of teams that aren’t actually aligned, a mismatch that not only decreases efficiency but can lead to information silos and foster a culture where solving the problem is secondary to pointing fingers. Even worse industrial espionage and cyber thieves can work right next to your employees and people don’t even know.
To help keep your organization safe from cybersecurity threats and improve efficiency, you need to take the awareness you have and, as a team, transform it into action. If you take nothing else from this article “don’t be afraid to act, share information or ask a question”. Communication and breaking down those silos is key. This was one of the number one failure from the Snowden case at the NSA. It truly is simple if people question, act, and communicate.
How External Experts Can Help
We have all been in a situation where a fresh, outside perspective has made a big difference. When we are too close to a problem, we aren’t always able to see it clearly and may require a fresh set of eyes to see the full picture and develop actionable solutions. Every CISO knows that at times you need someone else to deliver the news that you have presented on an ELT or BoD deck for the past four quarters. We have all been there for that frustration.
A lot of organizations feel less like cohesive companies and more like groups of warring tribes as different teams compete for executive attention and resources. This “us-versus-them” mentality can be toxic and encourage teams to compete for resources and attention instead of cooperating and working together to achieve common goals. It happens even within IT teams – Network team vs. Security team.
Addressing Company Culture Issues Improves Security
When teams are encouraged to compete for resources instead of working together, it does more than make a company an unpleasant place to work. It also hampers security efforts. Can you image how ineffective the US Military would be if they didn’t have cooperation within their units and team? Think about how the Intelligence communities have had issues in the past before 9-11 and how working together (still not perfect) has increased the security levels of the country.
When companies are fractured like this, teams aren’t likely to share information, resulting in data silos. These silos are dangerous because it prevents the company as a whole from seeing the whole picture.
Say you are a guard tasked with defending one section of a wall around the city. If you see one enemy creeping up in the night, you might take them out and think the problem has been dealt with. However, by failing to communicate with your fellow guards, no one else is on high alert and no one is aware of any potential danger. In the same breath you don’t realize that the one enemy you spotted is, in fact, part of a larger army advancing on the city. When the rest of the army arrives, they will likely target the most vulnerable sections of the wall. Whoever is tasked with defending that area of the wall will likely be quickly overwhelmed. This is because even if they are aware that the army is advancing, they may feel they have to defend their section alone rather than call for reinforcements, for help defending vulnerable sections of the wall.
Tech companies, in particular, can fail to see the big picture. This usually happens when they focus too much on the core technology (and the teams responsible for developing and maintaining it) and too little on the business side that handles sales and supports those products and services. Encouraging cooperation across teams and making sure every department feels that their voice is being heard makes it significantly easier for teams to work together to translate security awareness into security action. It allows all the guards to work together to better defend the city instead of leaving each guard to deal with any number of enemies on their own.
Strict department budgets encourage silos as different teams compete for scant funds. While budgets are critical for limiting spending and keeping organizations profitable, they can also breed resentment and discourage teams from working together and sharing information that can improve security for the entire organization.
Oil & Gas Exploration Company: A Mini Case Study
One organization that benefited greatly from getting an outside perspective was an oil and gas exploration company. While initially, this organization was very siloed, the leadership team recognized that hoarding information and competition between teams for funds and attention was significantly hampering productivity and having a negative effect on company culture. There was also significant resentment between the technology teams and the business teams, with the business teams feeling that both leadership and the technology teams were ignoring their concerns.
To address this issue, the company’s leadership decided that all affected parties should have a say in major decision making. A committee consisting of one representative from each affected team was given the time, resources, and power to discuss major decisions and come up with solutions that satisfied everyone.
This approach eliminated resentment and curbed competition, and increased productivity as teams worked together to combine resources and improve efficiency.
True Cultural Change Starts at the Top
One of the best ways to lead is by example. Individuals at the leadership level are in the best position within any organization to affect change. Encouraging teams to work together and share resources (including budgeted funds) is great, but unless employees see leadership practicing what they preach, cultural changes may end up being superficial at best.
Sometimes teams within an organization need to be reminded that every team is in this together, and that, as the saying goes, a rising tide raises all the boats. Individuals in leadership positions need to actively encourage and spearhead inter-team cooperation so that information (including security information) is shared freely.
One-way EVOTEK helps break these down is when we perform a Security Program Assessment (SPA) we interview all corporate departments including outside of IT and Security. We include HR, Legal, Marketing, Business Units, etc. so that we are giving the CISO visibility into all these other departments but in doing the interviews (where the CISO/Security Leader attends) we are fostering the collaboration and breaking down those walls and silos.
A Sizable Threat: Malware as a Service
One of the reasons organizations need to be built on a culture of cooperation, and resource sharing is that cybercriminals are becoming more adept at cooperating both within their organizations and with other malicious actors. The dark web is full of an entire industry of companies that operate like start-ups but whose product is creating malicious software that other bad actors can purchase or license.
These operations are incredibly polished and well run, so protecting your organization from them is going to require every single worker to do their part. Sharing information gives the entire organization a better idea of where their vulnerabilities are so those weak spots can be reinforced. Sharing information also means that if one team spots suspicious activity, they can consult with other teams to determine if there is a threat instead of having to rely on their own limited view and resources. Fostering inter-team cooperation helps ensure that resources (both funds and specialized workers) can be shared across teams to improve security for the entire company.
Addressing silos today can help ensure your organization has the teamwork mentality necessary to fend off malicious attacks. Our team is here to help you identify cultural and security issues and give you the tools and knowledge you need to be resilient.