Why doesn't Cyber Security report to IT?

Over the past twelve months, I've been working quite closely with a cyber security consultant (Corch from Shogun Cybersecurity), which has fundamentally changed how I think about IT and cyber security in an organisational context. I've always been fascinated by the topic of Cybersecurity, and over the last 10 or so years I have absorbed every piece of information I can find.‌

Recently Corch wrote an article on his blog about his experience providing best in class cyber security services with small businesses clients. His conclusion was that it's your IT provider who us the root of your cyber security problems, and his article makes really valid points.‌

But let's step back for a minute and look at the environment which led to the reality that Corch so vividly described. What are the conditions that led to so many of the small business I meet having shameful cybersecurity?‌

The Reasons

‌I think it boils down to four areas;‌

  1. IT seen as the same as Cyber Security
  2. A focus on technology, not business risk
  3. Skills gap, both from IT and leadership
  4. A culture of overconfidence

‌I'll do my best to describe the differences here.‌

Cyber ≠ IT

‌The biggest misconception in cyber security today is that cyber security and IT are the exactly the same thing. Now from the outside, it's an easy mistake to make. Cyber security relies on IT and spends most of their time working with IT to keep the organisation safe, but the purpose of each is very different.‌To summarise;‌

  • IT is about helping people get their work done. Great IT brings orders of magnitude higher levels of organisational productivity.
  • Cyber Security is about protecting assets. Put bluntly, Cyber Security's job is to protect the business from IT and it's users,

‌I was speaking to someone who said their in house cyber security person's direct report was the IT manager. I then asked, does your WHS (OSH) manager report to the production manager? No? They report to a risk manager or the CEO? Why? Because the production manager primary role is to increase production, while following the WHS rules set out by the organisation.‌

What is the point of a WHS manager (or cyber security professional) if their path to the CEO is through the very person who looks bad if serious concerns are raised. Maybe the production manager has a different mindset about risk vs productivity? Do you think this might also be a reason IT providers are not providing you with appropriate data on your cyber risks to?

Technology, not risk

‌The way Corch and my industry peers talk about cyber security is very different. The thing that stands out most to me is that instead of talking about a list of products and technology controls, Corch speaks broadly about risk. Don't get me wrong here, Corch is one of the most technically capable people I know, but rather than spending a lot of time evaluating a lot of vendor products, he instead invests the time and energy in establishing the organisational cybersecurity needs.

‌In contrast, if I have another conversation with an IT provider about what the best antivirus is, or that Dropbox isn't secure because Microsoft doesn't own it, I'm probably going to go postal. For most IT providers, security is really "what percentage of my customers buy the correct security stuff from me" rather than any real focus on the people and process part of cyber security. If you need any real evidence of this, just have a look at the unbelievably low adoption of controls like MFA and unique passwords and you can see why 24% of ransomware incidents are caused by an IT provider or vendor (Beazley, 2019).

Skills Gap

‌This is the root cause of the cyber security issue in my opinion. How many CEO's, board members, practice managers, IT managers have really had any experience in cyber security specifically? The answer is almost none. The only real experience they may have had is experiencing an incident firsthand, or hearing about one from a friend.‌

Why is the skills gap so scary? Because of a cognitive bias called the Dunning–Kruger effect. This concept states that the first line you learn about something, you become more confident than you ever will be about it again. Yes, even when you are the world's leading expert on cyber security, you will still not feel as confident as when you first learn something.

This confidence makes people believe you know everything about a topic, when you actually know hardly anything. The strange thing about this is that most people can't selfidentify this bias at all, so it requires someone who knows better to point it out. This leads me to my next point.‌

Culture of Overconfidence

When asked, 1 in 5 Australian SMEs said the weakest link in their cyber defences was; “there is no weak link” (Chubb 2019). I would love to see a survey of IT providers too I would expect this number would be a lot higher. The traditional mantras go along the lines of;‌

  • My IT company looks after cyber security, we are covered
  • I'm insured so we are protected
  • I've never been breached
  • Our people don't click on links
This is fine

‌At the end of the day, we all have to recognise that no system is perfect and that there are always weak links. For most small businesses out there, their weakest link is likely their IT provider, followed by the passwords their staff use. Other organisations, it may be in the capability of the leadership, or incident response.‌

So, what can you do?

‌Get independent advice. Please. If not Corch or I, someone else who can help you navigate your risks in a sensible way. Don't rely on your overconfident IT person to say it's all fine, find someone who can proofread their work and give you a real indication of what your risk actually is.‌

Oh, and if you are a customer of mine, I still encourage you to get someone independent to review our work, we are only human after all.‌

References‌

Small Biz, we need to talk about your IT service provider – https://cyberz.wtf/posts/we-need-to-talk-about-your-it-service-provider/

Ignorance is Risk – Australia SME Cyber Preparedness Report 2019 – https://www.chubb.com/au-en/articles/australia-sme-cyber-preparedness-report-2019.aspx

Beazley breach insights – October 2019 –https://www.beazley.com/news/2019/beazley_breach_insights_october_2019.html

Dunning–Kruger effect – https://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect