Avoid four misunderstandings and implement a practical safety management system in China

A safety management system is a complex ecosystem that defines an enterprise's key information, safety principles, resources, and activities (see Figure 1). It is often difficult for organizations to build and operate security systems that are both practical for employees and able to effectively manage rapidly evolving digital risks. Therefore, chief information officers (CIOs) must understand and avoid misunderstandings, build a strong security system, and respond to the cybersecurity challenges faced by China's digital business. CIOs and their security teams are prone to fall into four common misunderstandings when building a practical security system. These misunderstandings include:

• Set unrealistic goals and hope to defend against all attacks

• Security strategies cause friction while failing to effectively reduce risks

• When senior management reports and communicate, too much security technology and operational information is conveyed that is not linked to the business.

• Adopting a traditional centralized approach to support distributed risk decision-making that does not scale effectively when dealing with agile digital projects

  
  

Figure 1: Components of a safety management system

Misunderstanding 1 : Setting unrealistic goals and hoping to defend against all attacks

In today's digital environment and threat landscape, it is neither realistic nor appropriate for organizations to set a security goal aimed at containing all attacks. There is currently no perfect protection mechanism. In a multilateral business and risk environment, corporate organizations should strike a balance between protective measures and business operation needs. This balance needs to be discussed and decided with business leaders, rather than left to IT alone (see Figure 2).

Figure 2: Safety is a choice: what is moderate risk?

When executives ask, "Can we achieve 100 percent security?" CIOs and their security teams should steer the conversation toward a discussion of risk. It is not cost-effective to invest large amounts of money to prevent security incidents that have a small impact on the business. Organizations should identify security risks that may impact the achievement of business strategic goals and performance and define risk control metrics. It is critical to establish clear connections between business goals, security risks that impact business success, and tracking metrics.

Myth 2 : Security policies cause friction but do not reduce security risks

The fundamental purpose of security policy is to encourage behaviors that promote security and discourage adverse behaviors by identifying, assessing, and controlling risks. Nonetheless, employees may find that some policies developed independently by the security team are difficult to adhere to, unreasonable for their roles, and conflict with their job objectives. As a result, employees may choose to ignore these strategies and continue to engage in unsafe behavior.

The 2022 Gartner Security Behavior Drivers Survey found that 69% of employees intentionally bypassed the organization's cybersecurity policies in the past 12 months. Additionally, 74% of respondents said they would bypass cybersecurity policies if it would help an individual or team achieve business goals (e.g., meet an upcoming deadline and/or meet revenue goals). This disregard for security policies often occurs because security-induced friction prevents employees from doing their jobs effectively.

To avoid falling into this pitfall, companies should use a scenario-based approach to testing to ensure the strategy is feasible. Test your security policy in many real-life scenarios that workers face and determine whether the policy supports or hinders those scenarios. At the same time, you can consider developing a user manual to explain the security requirements of all these common scenarios using easy-to-understand business language instead of technical jargon. Finally, identify, understand, and resolve the friction experienced by your employees.

Myth 3 : The message delivered does not resonate with stakeholders

Security governance refers to the processes and capabilities that ensure reasonable and appropriate actions are taken to protect an organization's information resources in the most effective and efficient manner to achieve its business objectives. As CEOs pay more and more attention to the business losses caused by security incidents and violations, and there are more and more relevant media reports, many large Chinese corporate organizations have established enterprise-level security committees as governance bodies.

Although the committee is composed of executives from business and functional units across the enterprise, communication on the security agenda and related topics remains primarily compliance-oriented or IT-centric. This fails to effectively demonstrate the value and relevance of security investments to business results, and fails to arouse more resonance from CEOs and business executives.

To avoid this misunderstanding, CIOs and security teams should elaborate on security risks related to business outcomes, not just compliance. This will better resonate with the CEO and business members of the committee. At the same time, understand the communication background and choose appropriate value communication methods.

Myth 4 : The centralized risk decision-making approach adopted cannot support agile digital projects

Organizations' security and risk decisions are becoming increasingly decentralized as business units hire more of their own digital technologists rather than relying entirely on corporate IT staff. In addition, in China's highly competitive digital environment, corporate organizations are increasingly adopting new IT methods such as agile or DevOps to accelerate the delivery of digital services. This in turn increases the pressure to make risky decisions quickly. If an enterprise still relies on a traditional single centralized security team to carry out risk decision-making, it will be difficult to recruit enough security talents to cope with the rapidly increasing number of distributed risk decisions within the enterprise and the speed of decision-making. Furthermore, the opportunity cost of decentralized decision-making can quickly exceed the value it adds.

To avoid falling into this misunderstanding, CIOs should cultivate the cyber judgment of all employees in the enterprise to meet the quantity and speed requirements of agile digital project risk decisions, which will greatly reduce the cyber risk exposure of the entire enterprise. Additionally, because cyber judgment does not require security personnel to be fully involved in making risk decisions, saved security manpower can be reallocated to more impactful cybersecurity activities.