The banking industry spends 40% more on combating cybercrime than any other industry, with a per-firm average of $18.5 million spent on direct costs of incidents annually. When you also consider that cyber attacks on banks went up a whopping 238% during the first few months of the COVID-19 pandemic, you get a very clear sense that this is a top priority problem, and it needs top-down support.
While you’re likely to get agreement on the former, you may be surprised to find less on the latter. Everyone agrees that cybercrime needs to be guarded against, yet they’re not always on the same page as to whose job that actually is. Part of the problem stems from the idea that it’s, well, just one job. Making it the CISO’s responsibility to go department by department to get “buy-in” on cybersecurity may be an outward show of taking the issue seriously, but in practice, it could actually create unintended weaknesses.
Those attempting to implement new ways of approaching cybersecurity are faced with competing cultural perspectives on technology and competing ideas about how to implement that technology. Left to shoulder the burden of responsibility alone, they can find themselves unable to get smoothly from point A to point B and beyond.
Gerry Owens knows exactly what it takes to change outmoded thinking and implement lasting change. A veteran IT risk management and cybersecurity executive with more than 30 years’ experience in the banking industry, Owens has often been the lynchpin at the intersection of organizational transformation, employee engagement and technology. Currently CEO and Founder of GOTAB IT RISK inc., he works with security and risk leaders to architect and execute successful tech transformations.
We sat down with Gerry to learn why some large-scale initiatives “stick,” while others can’t seem to get off the ground, and how – as a firm believer that privileged access management (PAM) underpins any major cybersecurity strategy – his frontline insights can help organizations navigate their own PAM journeys.
But what logically could have been a technology-focused discussion turned out to be anything but. In fact, we barely talked about that at all.
“I’ve seen many technology implementations struggle,” Owens explains, in a conversation rooted to his career in IT management and his unique experience in the banking industry. Often it is because people didn’t embrace the change as much as you needed them to, whether it is not understanding the significance of the program, alignment to the corporate strategy, or not having clear direction on priorities. This tends to create an element of dissension – people who didn’t feel that the change was worthwhile, or that it impacted them adversely. And whether they knowingly or unknowingly fostered this negativity, they’re the ones that stood in the path of a successful implementation.”
The short answer, says Owens, is that for implementation to take hold, it has to be something driven from senior executives across the firm with clear communications across all levels, and a shared accountability for the outcome. “Organizational change management needs to lead with people,” says Owens.
C-Suite Support is an A-Level Priority
Owens bristles at the term “getting buy-in” when discussing the implementation of new technology programs because, quite simply, he doesn’t see programs like privileged access management as anything less than a core priority. He’d also like to do away with the term “technology programs” altogether while he’s at it.
“We need to stop calling them [that] because, as a matter of fact, they’re business transformation programs that tend to disrupt operational processes,” Owens says.
If such programs are not prioritized – and instead seen as somehow optional – they will continue to face challenges to their acceptance and complete adoption all the way down the corporate hierarchy. During his years in the naturally risk-averse banking industry, Owens saw firsthand how important it was for CISOs to have the ear of CEOs and board members. Their understanding of, and appreciation for, the types of risks the firm is exposed to, and the security programs necessary to protect the organization sent a clear message from the top: This is the new way of doing things.
“We have to make it clear: privileged credentials and accounts represent one of the largest attack surfaces for organizations today,” Owens says. “We’re not giving you the rite of passage. We’re telling you, ‘This is going to be your new operating model.’”
Through his consulting work, he’s heard this particular struggle voiced time and again – particularly from organizations in the mid-market. Rather than a strictly mandated course of action directed from above, the onus is on the CISO to make the case to each level of the company directly – some of whom will immediately recognize the importance and some of whom will fail to see the relevance to their particular silo – in a wasteful effort to get everyone onboard rather than an effective push to communicate “this is how things are going to be done now.”
Owens sees only one true way for operational change to not only get implemented thoroughly but take hold, grow and thrive – and that’s through transparency from the top down. And this isn’t just “buy in,” it’s true understanding, he says. “When I’m implementing something so complex that’s touching a whole bunch of business processes, applications and infrastructure technology, not only does the accountability of who has access become important, but I also need to make sure I’ve got the people at the table that will successfully see the project through its evolution.”
To ensure that security is seen as a shared responsibility throughout an organization rather than one person or group’s “job,” Owens suggests a few key strategies:
- Make It Urgent, Not Optional. “[Senior executives] need to understand the vulnerable state the organization is in right now – and the consequences that could come as a result of this vulnerability,” he says. The mass – and sudden – shift to remote work in the past year has stretched and tested resources, which is only accelerating the urgency of strong security protocols. The recent SolarWinds breach has torn through government and private organizations alike in what is the latest example of how privileged credentials and accounts remain incredibly vulnerable to attack. There is a need to drive a crises mindset, before the crises occurs.
- Build Your Case. Create a business-level narrative to show top stakeholders that unprotected privileged access is a security challenge that encompasses every single user, application and machine identity – and has the power to completely disrupt business. Aligning security with clear business goals, and risk appetite – outlining metrics that define success while also taking into account potential disruptions – will help ensure security isn’t seen as an add-on or some useful tool, but an integral part of growing and maintaining the business.
- Don’t Go it Alone. To gain momentum for acceptance and implementation, CISOs need to “interface with the right levels of influence within the organization.” For example, Owens encourages them to “talk to your risk group and make sure they understand the importance of the PAM initiative, so they can help escalate to leadership in parallel and drive urgency amongst business decision-makers.” Also bring the people with influence at every level, such as HR, into the fold. They can help drive the message that “security is everyone’s responsibility.”
- Break Out the Placemat. Your case – and subsequent executive reports – should be able to be made in a single page to ensure it gets read and absorbed. “I call it the placemat,” Owens says. “If we can’t tell some of the most senior executives within the organization how we’re doing and what the situation is, or where they need to help, on one page, we don’t deserve to be in this role.”
Security can only become part of an organization’s DNA when there is, in Owens’ words, “a sense of accountability across the organization that everyone is responsible for security and for the firm’s performance when it comes to privileged access.” When this is communicated clearly and directly from the top, the entire process tends to go much smoother. That’s when organizations realize cybersecurity isn’t a job, it’s an integral part of everything they do – and it’ll only get more important year after year.