Key themes at this year’s Pink-LATAM conference focused around Agility, Business Value, Risk and…..Culture. Culture and behavior seem to be increasingly featured topics at IT conferences as a critical barrier or enabler for the IT transformation facing many organizations. However it is not simply the culture and behavior within IT but equally within the business. The increasingly important and differentiating role that IT is playing requires a shift in mindset and change in behavior throughout the organization – none more so than with the topic of Cybersecurity.
To support the focus on Risk and Culture, GamingWorks facilitated an Oceans99 business simulation workshop.
The goals of the simulation:
- Explore Cybersecurity and how it impacts the end-to-end organization.
- Use elements from the CSX (Cybersecurity Nexus) framework as an assessment and improvement set of guidance.
- Capture key learning points and takeaways.
At the start of the session we asked Delegates ‘What are the key Cybersecurity related issues within your organizations that we want to try to explore in this simulation’?
These were the current issues facing the organizations:
- User awareness (4 people)
- Culture & Behavior – following policy (3 people)
- Too many Policies and controls – impacting Agility
- Missing Policy
- Policy awareness
- Information about the clients/business
- Disruption – new technology causes disruption, security controls cause disruption
- Security of ALL information
- Access management
“It is clear that Behavior and culture were top scoring issues facing organizations”.
Oceans99 – creating awareness and addressing behavior
In this business simulation game: “The owner of the Bank of Tokyo has decided to exhibit three world renowned objects. The ‘Star of Africa’, the ‘Jewish Bride’ and a ‘Bugatti 59’. The challenge for the team is to bring the objects to Tokyo, on time, safely and securely, and to have them exhibited, however there are rumors that Oceans 99 a criminal organization wants to steal the objects… In the game the various stakeholders make use of Information systems for planning, for managing, for transporting, for monitoring the objects and for booking and selling tickets, there are many opportunities for Oceans99 to exploit vulnerabilities.
The team was given the exercises of designing a Security Policy, Performing a Risk assessment and developing a Strategy for investing in security counter-measures. We used the CSX ‘COBIT 5 – Model Behaviors in Cybersecurity’ between exercises to reflect on how well the team had performed and agree improvement actions.
What happened next?
The team attempted to identify critical assets they wanted to protect as part of their policy. They huddled together and ignored the board of directors who sat there ‘Waiting for a policy proposal’ from the CISO. Critical assets were seen as ‘The Car, the Diamond and the Painting’.
The team had NOT actively engaged with all Stakeholders to identify ‘critical information assets’, such as ‘route maps’, ‘credit card information’, and had not adopted a holistic approach of looking a ‘physical objects’, ‘Critical information assets’, ‘Critical information system assets’. The team had also not defined the overall responsibility and accountabilities – particularly in relation to the board and business users.
“The board took a hands-off approach, and HOPED that the Security Policy was appropriate. This is recognized as a real issue”.
In terms of the COBIT 5 – Model Behaviors in Cybersecurity’:
- ‘All users we NOT aware of, and NOT actively involved in, defining active cybersecurity principles and policy’ – a clear principle in COBIT 5 guidance is ‘Focus on the Business’ (there was a clear lack of focus on gaining a business understanding of critical assets).
- ‘Users did NOT have a clear understanding of their accountability and act responsibly’ (in terms of shaping a cybersecurity policy & principles).
- ‘Cybersecurity principles, policies, standards are updated frequently to reflect day-to-day reality as experienced by the enterprise’ (nobody had used the ‘list of issues’ at the start of the day to help shape the Cybersecurity policy, nobody took ownership for these issues).
We revealed findings from a recent McKinsey report entitled ‘Protecting your critical digital assets: Not all systems and data are created equal’, which stated ‘The idea that some assets are extraordinary – of critical importance to a company – must be at the heart of an effective strategy’.
“This is NOT an IT Issue, CISO’s and IT security specialists do not have this level of business understanding. Without business accountability for identifying these critical assets organizations face significant, hidden risks”.
The next exercise was the Risk exercise. COBIT 5 – Model Behaviors in Cybersecurity’ states: ‘Users are sufficiently aware of the risk, threats and vulnerabilities associated with attacks/breaches’.
All team members were asked by the CISO to fill in a Risk form. They spent half the time discussing what these terms meant and realized they had insufficient understanding to determine vulnerabilities. ‘Awareness training was required’.
Whilst performing the exercise the owners of the Amsterdam and London Museum and the transport manager all opened phishing mails. Las Vegas thought they had received a phishing mail and reported it to CISO who said ignore it. None were logged as cybersecurity related attacks. CSX guidance says: ‘Detailed data on past attacks and incidents are an important factor supporting risk analysis’. Once again a clear input for awareness training.
“Although everybody had recorded as top issues ‘User awareness’ and ‘Culture’ this was not mapped as a high probability, high impact threat, as such it was not given priority in counter measure investments. This lack of focus was also recognized as a real issue”!
At the end of the session we asked delegates ‘What did you discover in this session that you will take away and do differently in your organization’?
One delegate said, ‘This was eye opening’.
- You cannot secure everything, look at critical assets, together with the business owners and key users to identify the ‘crown jewels’.
- The List of current issues made by the team was ignored. Yet this is what we wanted to learn to solve. A List of recognized issues should be made and:
- Used to update policy.
- Integrated into incident management and monitoring.
- Made visible and used as input into Risk management.
- Reviewed in relation to critical assets.
It was concluded that very few organizations actually compile a ‘continual improvement register’ for Cybersecurity.
- Use the list and real examples (phishing, incidents, monitoring) as part of awareness training, also making everybody aware of the critical assets and impact.
- Awareness training isn’t enough, it should be followed up with tests (e.g Phishing mail tests) to continually remind and correct behaviors until they become habits.
- ALL stakeholders should participate in awareness training, including the board and senior executives.
- Awareness training should also take into account the COBIT 5 – Model Behaviors in Cybersecurity’.
- Risk assessment should be done by ALL, CISO can train people how to do it. It should also be an ongoing exercise. Technology changes rapidly, external drivers and business goals change continually, new insights are gained from security related incidents.
- Use Incident monitoring as input to risk exercise and awareness training.
- Leverage external expertise for vulnerability tests. Hackers spend 24 hours a day becoming experts, we are always behind the curve.
- Take a more Holistic look (Looking at information, systems, physical assets, people & culture) and adopt a multi-disciplinary risk assessment approach.
- CISO not the only one to make the policy, input from all.
- Business case for countermeasures – relating to critical assets and impact to business, using incident monitoring as input to the business case.
- Top management involvement and commitment, and accountability is critical. Accountability is needed at board level. Using this simulation as part of ‘awareness training’ for executives is a good way to confront them.
- End-to-end communication and understanding of policy, procedures, critical assets.
- Need for a Co-ordination role – with overall vision, end-to-end to ensure this is embedded throughout the organization.
- Use a framework or method of best practices – e.g. CSX, with particular emphasis on ‘Model behaviors’.
- The Simulation shows how all elements fit together and the impact when you don’t align them, this provides powerful way to change attitudes, behavior and create awareness.
- The simulation game is good for different cultures (orgs and teams needing to work together).
‘A powerful learning experience. I will do things differently after this. There are many things I can take away from this’ said one delegate.
My conclusion having conducted this simulation with many teams and CIOs is that there is far too little attention spent on what CSX labels as ‘COBIT 5 – Model Behaviors in Cybersecurity’. Furthermore ‘Awareness training’ is too generic and often not matched to specific organizational situations and organizational learning. Awareness training is often a one-time exercise with too little follow-up to embed ‘model behaviors’ into the culture and make these behaviors a habit. Although board members are becoming increasingly concerned with Cybersecurity they do not see this as representing a cultural change issue, and do not take accountability for this. In all of our sessions so far the risk exercises focus almost entirely on ‘IT technology related risks and countermeasures’.
A further final conclusion. Cybersecurity forms an essential part of IT Governance. IT Governance is a critical capability for organizations to realize their ambitions for IT transformation initiatives, on the one side to ensure ‘Benefits Realization’ and on the other side for ‘Risk Optimization’. COBIT 5 is an industry recognized framework for enabling the ‘Governance of Enterprise IT (GEIT)’ yet in my surveys around the world IT Governance and COBIT are being poorly adopted and applied. One of the critical enablers for IT Governance according to COBIT is the ‘Culture, Ethics and Behavior’ enabler. The guidance for this enabler has still not been produced as it is not seen as a high priority. I wrote a blog on this which has the most hits on all of my blogs so far, which leads me to conclude it is a ‘hot topic’. I would urge ISACA to produce this guidance and to further promote COBIT not as ‘an audit instrument’ which seems to be the prominent perception, but as an enabler to solving the Business and IT-Alignment issue which is once again the number 1 CIO concern in the most recent BITTI publication ‘Trends in Business IT & OT’ – a 2017 Dutch language publication of research into hundreds of global companies. This finding also mirrors the GamingWorks findings from Business simulation workshops held with hundreds of organizations globally.
Model behaviors in Cybersecurity….Model behaviors in IT Governance. Let’s just ignore them like we usually do’.