CIO opinion
turning it on its head. For example, if you’re
doing phishing tests, instead of just reporting
that 20% of people failed, also measure how
many people reported it to the security team
and start measuring that as a positive metric
that you want to see increase. Generally, in IT,
we always focus on the negatives and we’ve
got to look at it the other way around – how
much did we block, how many people did we
protect, how many people reported – so that
people feel good about participating.
How important is it for business
leaders to build and maintain
reliable employer relationships to
avoid insider threats?
“
WE HAVE A LOT OF
LOYALTY BECAUSE WE TREAT OUR
PEOPLE WITH A LOT OF RESPECT
Insiders are tough. If you have an insider
attack it’s likely to be a problem that’s going
to increase. It’s very difficult to defend
against this kind of thing and if I consider
it from our own company perspective –
we have a lot of loyalty because we treat
our people with a lot of respect and while
we expect a lot from them, we give a lot
back. I think that creates a very positive
environment which makes it more difficult
to be that malicious insider. If I were to turn
tomorrow, I would be so isolated because
the people I work with are so loyal, they’d
expose me. It would be hard to get away
with it because the team I’m on is so
invested in the company. n
we really mean it, we’re giving you a gift in
return. Make it really well known how to do it.
How can business leaders improve
their approach to ensure this happens?
I think it has to be throughout the organisation
– it can’t be initiated by the CIO or CISO,
it has to be something that’s embraced by
all the upper management. Everyone must
understand that security isn’t an IT problem,
data security is a business problem. IT can’t
control what finance does, finance have their
own processes, they have to embrace it and
it has to be a part of their culture as much
as it is IT’s. It may be IT’s job or the CIO
group’s job to stop that framework for that
positive message or easy processes, but then
the leaders of all those groups within the
company need to embrace that with their staff
and let them know that this is a team thing
no different than the physical security of our
building, which is obviously a joint responsibility
also. Keeping it positive can be tough but any
time there is a punitive thing, think about
48
INTELLIGENTCIO
www.intelligentcio.com