– Information Security is a core business issue
– It takes more than technology
– Culture can be a force multiplier for InfoSec
- “In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief executive to the newest hire, and not just personnel with “security” in their title or job description. Everyone should be accountable, and learn how not to be a victim.” Cyber Resiliency in the Fourth Industrial Revolution. 2016. Hewlett Packard Enterprise, FireEye, Marsh & McLennan
- “Make people your first line of defense” 2016 Verizon Breach Investigations Report Executive Summary
- “The human factor is and remains, for both the IT professionals and the end user, the weakest link in relation to security…. This is often about changing the culture such that employees are alert to the risks and are proactive in raising concerns with supervisors.” Cyber security: it’s not just about technology. KPMG. 2014
- “There is a need for the entire organization to embrace the security strategy.That’s … going to be driven by the CISO but it’s going to … be really driven by the top leaders of the organization and they’re going to … see it as a core part of the business,… making sure the business continues to grow and succeed..” Adam Gutstein, Vice Chair, PwC in video PwC talks about cybersecurity: C-suite perspective. 2013
- “Security must be viewed as a ‘people problem’: Strong security is not just about tools; it is about people being educated about the importance of security in all aspects of their everyday life. Well-educated users will make good decisions about security and be more likely to be proactive and ask questions if they sense there is a security compromise.” Cisco security manifesto principle 5. Cisco Annual Security Report. 2015.
- Cyber resilience must reside in the organization’s DNA, so it becomes an organizational imperative to protect and enable digital interactions. ” Cyber Resiliency in the Fourth Industrial Revolution. 2016. Hewlett Packard Enterprise, FireEye, Marsh & McLennan
- “Those of us in the security industry know that an organization’s best defense against internal and external breaches is not technology alone. It is the culture of security within an organization – a mindset on the part of every individual so that actions in support of information security become automatic and intuitive.” Adel Melek. Protecting what matters. The 6th Annual Global Security Survey. Deloitte. 2009
- “The network perimeter has become porous due to the widespread use of data-sharing tools…Insider breaches, therefore, are not just a technological issue but a human and cultural problem…Data security starts with the individual user.” Stephane Charbonneau, CTO, TITUS in Security from the Ground Up: The Need for Data Classification. Information Security Magazine. 2016
- “Organizations can benefit from the lessons of those who have prepared well. Most telling, these companies have … implemented a cross-functional governance model that engages the organization from the boardroom, to management, to employees.” Securing the C-suite – Cybersecurity perspectives from the boardroom and C-suite. IBM Global Business Services. 2016
- “Almost more than any other risk a company faces, are the myriad of stakeholders involved in building cyber resilience. The board of directors. Multiple members of the senior management team, including the CEO, CFO, general counsel, CIO, head of HR, and chief information security officer (CISO). Your employees. Your vendors. The role of the board and each member of senior management, in particular, should be clearly articulated in order to enhance your organization’s agility to respond to a dynamic threat and avoid conflict. ” Cyber Resiliency in the Fourth Industrial Revolution. Hewlett Packard Enterprise, FireEye, Marsh & McLennan. 2016.
- “Culture eats strategy for breakfast.” Peter Drucker