Cybersecurity is not a technical problem, it's a financial problem.
Human beings act in their own best interests. If those best interests come in conflict with security, then security loses.
If you want people to care about security, you have to make it in their best interests to do so.
This may seem like an obvious thing to say, but it is the foundation of all security strategy, both as a matter of public policy but also in an organization at the departmental, team, and individual level.
Corporations don't care about security. They care about their quarterly earnings.
Employees don't care about security. They care about their pay check. They care about their bonus. They care about—a little anyway—their stock options.
If you want to drive security change, you should always be asking yourself, what are the financial incentives in this situation? Because when security and profit come into conflict, security always loses.
Let me give you two examples.
Companies don't care about the security of PII. They don't care about data breaches. If a criminal steals a copy of your customer database, so what? You still have a copy. And consumers don't understand the abstract collective harm.
So governments now regulate mandatory security practices and fine companies that fail to meet those minimum security practices. In a classic free market failure, the government can and should step in to ensure the collective good.
Let's take another example, more concrete if you're a CISO. The only people in your organization who have security as part of their KPIs or OKRs are you and your team—the Security team. Why would the Marketing team, to take a random example, have cybersecurity in their OKRs? That would be a little… weird.
As a result, you will frequently come into potential conflict with other teams where company-wide security strategy finds itself at odds with other teams' OKRs.
How do you solve this problem?
I've had many conversations about how to integrate security into other departmental OKRs, and frankly that's a lost cause. I've yet to see a way to make that work. (If you have solved that problem, I'd be genuinely curious to know how.)
Rather I think we need to fall back on Cybersecurity 101, the axiomatic foundation of security risk management that I first learned twenty plus years ago:
Security only works when it comes as a top-down mandate from the CEO personally. Period.
Why the CEO?
Well, orchestrating dozens of departments in a large organization to work together toward a common goal—only one job title has that responsibility and authority, and that's the CEO.
Balancing all the equities, of risk and opportunity against each other, and making the final call—again, that’s the CEO.
And it must come from a position of authority, because outside of the Security team and maybe the Legal team, no one in the company cares about security. Security evangelism is nice and all, but nothing beats a “do it because I told you so” from the CEO, with carrot and stick to go with it.
The carrot and the stick. You, dear random employee, get paid for meeting security goals, whether you understand them or like them or not. And if you don't do what you're told, there is, eventually, some sort of company discipline.
Dollah Dollah Bill Y'all. Follow the money trail. Tell me what the financial incentives are, and I'll tell you if your security strategy is going to work. And if you can't align financial incentives with your security strategy?
Then your security strategy will fail.