Issue Twenty Two

Written By Kenneth Holley

February 2023

The cybersecurity and data privacy conversations continue to gain velocity, illuminating confusion around the relationship between the two. Organizations understand the importance of building digital trust, but there’s work to be done around properly staffing, funding, and managing privacy and security initiatives. The digital economy we have all become a part of insists that we are active participants in protecting the infrastructure we’re responsible for.

The most foundational element of moving forward is strengthening cybersecurity cultures from within. We gain momentum on this front through employee engagement. There’s no doubt this is the challenge of our time, but we can make significant progress by weaving the importance of security into everything we do. Complex challenges call for a diversity in perspectives - amplifying the drumbeat of inclusion.

As we work to establish a unified front across the organization, we must understand the roles we play as individuals. We are only as strong as our weakest link; so by protecting the systems and information we are directly responsible for, we make the collective more resilient.

This month’s issue of Target Lock brings into focus the root of the challenge and the solution. Enjoy.

ZEROING IN

Despite Cybersecurity Being Top of Mind for the C-suite, Data Privacy is Lagging

Fortune

A new report by ISACA, a professional IT governance association, has found that despite cybersecurity increasingly becoming a priority for the C-suite, data privacy is lagging.  The report found that both technical privacy and legal/compliance teams are understaffed, organizational privacy budgets are underfunded, and there are material gaps in the necessary skills specific to data privacy.  The findings are based on a global survey of 1,890 data privacy professionals who hold positions in IT, audit, compliance, and risk management.

Against this backdrop, non-compliance with privacy laws and regulations is costly.  Laws such as Europe's General Data Protection Regulation and state laws such as the California Consumer Privacy Act (CCPA) have strict compliance requirements, and non-compliance can result in significant fines.  Ultimately, this is an issue which may fall under a finance chief's purview as CFO’s risk expertise is invaluable, especially true with regard to procurement.

"Digital trust is increasingly becoming a board and C-suite priority, and privacy is a key component of digital trust."

However, the report also finds that organizations are not giving data privacy the attention it needs.  ISACA's survey found that 42% of respondents said their privacy budget is underfunded, and just 34% indicated their privacy budgets will increase in 2023.  Additionally, 40% said there wasn't clarity on the mandate, roles, and responsibilities, and 39% cited a lack of executive or business support.

Many organizations view security incidents and privacy incidents as one and the same, which is not the case – and many board members may not fully understand the fundamental difference between security and privacy and consequently not prioritize privacy appropriately.

"Heavily investing in security without also thinking about privacy is a serious misstep—something as seemingly small as an improper privacy notification to customers (which would not be addressed through any security investments) may cost an enterprise millions of dollars and reputational harm."

The report highlights the importance of data privacy and the need for organizations to prioritize it.

"…it is impossible to have privacy without security, but it is possible to have security without privacy."

As the number of data privacy laws and regulations increase, it's crucial for organizations to have a designated data privacy program in place, staffed with qualified personnel and adequately funded.

SQ Insight: Kenneth Holley - Chairman

Employee Engagement - a Cybersecurity Imperative.

Silent Quadrant

A key differentiator for mature cybersecurity programs is a strong cybersecurity culture. A successful strategy for building a strong cybersecurity culture in an organization is ensuring employees are engaged in the workplace and in your cybersecurity initiatives.

Employee engagement is certainly more challenging in a hybrid or remote world and has arguably never been more critical to an organizational success. Harvard Business Review makes the argument that fostering connection, helping teams’ bond, and providing fun activities can help build an engaged workforce. Notably, high performing teams and engaged workforces have shared commitment and mutual expectations, check in with each other often, and frequently show appreciation for each other and their contributions.

We know that much has been written about the importance of employee engagement. This has been a significant challenge especially in the era of COVID and the evolution of remote and hybrid workforces. Engaged employees are more likely to care about the organization and take an interest in protecting it. Engaged employees are less likely to burnout, have higher retention rates and performance.

As companies promote a positive cyber culture in their organization -- as part of their cyber risk reduction strategies -- I suggest taking a page out of the employee engagement handbook and adding cybersecurity initiatives into other employee engagement activities. Incorporating cybersecurity into employee engagement activities might look like this:

  1. Build diverse and inclusive teams that respect and value employees. Cybersecurity is not just an information technology issue. Cybersecurity is fundamentally about people, and the human firewall is the best and most effective defense against cyber threats. Cyber threats come in varied forms and diverse and inclusive teams help bring new thinking to address complex problems. A diverse workforce strengthens an organization’s cybersecurity program by bringing different perspectives and problem solving strategies to identify and address threats and build organizational resiliency. Indeed, strong business performance, resilience, and recovery are related to diverse and inclusive organizations, a clear competitive advantage.

  2. Connect cybersecurity to what employees care about. If the organization values cybersecurity, include it in the mission statement or in the values of the organization. Helping your employees understand that good cyber-hygiene is not only important at work, but also in their personal lives, and that being cyber conscious is a social responsibility. Employees are more apt to embrace cybersecurity when they can see the connection to their personal values, and the values and purpose of the organization.

  3. Make cybersecurity training and initiatives fun, interesting, and varied. Not everyone likes or responds to the same things in the same way. Mix it up. Solicit feedback from staff and identify what motivates them. Make cybersecurity something in which employees are a part of as opposed to what you tell them to do. Building your employees’ confidence around cybersecurity creates advocates for the cause and can advance cybersecurity mentors throughout an organization.

  4. Use more carrots than sticks. Reward cybersecurity heroes (which isn’t about getting it right 100% of the time). We all make mistakes, but when we do, reporting timely can make all the difference. Publicly acknowledge those who have made cybersecurity a priority and have demonstrated good cyber hygiene. Reward and encourage hitting the pause button. We have all experienced the “I was going too fast and just clicked on the link” phenomena. Encouraging employees to slow down will not only improve cyber hygiene but will also help reduce stress and anxiety which can lead to other mistakes as well.

Indeed, as many employees have reached capacity, it is imperative for managers to promote employee engagement and by extension cyber hygiene and effective cybersecurity strategy.

SQ Insight: Tony Ogden - President, GRC

Protect Your Personal Information and Data

Federal Trade Commission

Protecting your personal information and data is essential in today's digital age. Here are some tips on how to lock down your devices, network, and information to keep your passwords, Social Security number, or account numbers safe:

Protecting your personal information and data is essential in today's digital age. Here are some tips on how to lock down your devices, network, and information to keep your passwords, Social Security number, or account numbers safe:

  1. First, secure your devices by keeping your security software, internet browser, and operating system up to date. Criminals often exploit weak points before software companies can fix them, so it's important to update your software regularly.

  2. Next, secure your accounts by creating and using strong passwords. A passphrase of random words can be more memorable and harder to guess than a shorter password.

  3. Consider using multi-factor authentication, which requires two or more credentials to log in to your account. This could include something you have, like a passcode or security key, or something you are, like a fingerprint or facial scan.

  4. Also, choose security questions only you know the answer to, and avoid questions with limited responses that attackers can easily guess.

  5. Backing up your data to protect it is also important. You can save your files in the cloud or to an external storage device. Be sure to find out what level of privacy or security different cloud storage services offer.

  6. Peer-to-peer file sharing can give you access to free music and videos but comes with risks such as strangers accessing your personal files or downloading malware. If you decide to use a peer-to-peer program, use your security software to scan any files before opening them.

  7. Finally, protect your home network by keeping your router secure and changing the default password.

In addition to these tips, it is important to be mindful of the information you share online and with whom. Be cautious about clicking on links or downloading attachments from unknown sources, as these can be used to install malware on your device. Also, be wary of phishing scams, which can trick you into revealing personal information or login credentials. Always check the URL of a website before entering sensitive information and look for the security padlock icon in your browser's address bar. These simple steps can help keep your personal information and data secure.

SQ Insight: Folden Peterson – Director, Federal Initiatives

Kenneth Holley

Kenneth Holley's unique and highly effective perspective on solving complex cybersecurity issues for clients stems from a deep-rooted dedication and passion for digital security, technology, and innovation. His extensive experience and diverse expertise converge, enabling him to address the challenges faced by businesses and organizations of all sizes in an increasingly digital world.

As the founder of Silent Quadrant, a digital protection agency and consulting practice established in 1993, Kenneth has spent three decades delivering unparalleled digital security, digital transformation, and digital risk management solutions to a wide range of clients - from influential government affairs firms to small and medium-sized businesses across the United States. His specific focus on infrastructure security and data protection has been instrumental in safeguarding the brand and profile of clients, including foreign sovereignties.

Kenneth's mission is to redefine the fundamental role of cybersecurity and resilience within businesses and organizations, making it an integral part of their operations. His experience in the United States Navy for six years further solidifies his commitment to security and the protection of vital assets.

In addition to being a multi-certified cybersecurity and privacy professional, Kenneth is an avid technology evangelist, subject matter expert, and speaker on digital security. His frequent contributions to security-related publications showcase his in-depth understanding of the field, while his unwavering dedication to client service underpins his success in providing tailored cybersecurity solutions.

Previous

Issue Twenty Three
Next

Issue Twenty One