It's May 2012, and it's a rainy day in South Wales.
A large multi-national, multi-disciplinary company with ambitions to break into the FTSE 100 top companies is holding its annual conference at a local country club. The CEO and finance director have just driven down from the delivering the company's annual results.
It has been a great year and the air is full of self-congratulations. The CEO stands up to give his keynote address; however despite the good share-price news and profit margins, his expectant audience is surprised to find his demeanour is unusually serious.
He explains that moving the company into the top FTSE will expose it to greater world-wide scrutiny from a range of industry competitors and those interested in the work it does on behalf of government departments. Indeed, he then reports that he thinks it is already happening, as the company had recently ‘lost' some of its critical intellectual property and missed out on a few large contracts.
The reason: poor cyber security that is the now the company's top priority. All eyes turned to look at the CIO who had gone as scarlet as a guard's uniform and was visible squirming in his seat! Were they right to single him out?
Actually they weren't! When the facts were looked at the incidents comprised the following: a mis-sent email (a strategy document sent to a competitor); commercial papers lost on a train; a former employee who was not legally prevented from taking bid information to a competitor; a laptop left on a plane with passwords attached; and careless use of social media giving away IPR.
In this particular case all breaches were down to human errors, none of them a direct fault of the ICT department or indeed any single department, but reflected a collective failure of the company to invest in its people. There was a distinct lack of collective education, training and a focus on critical information to support the company's business objectives, as well as suitable ICT products to use, business processes and fostering the correct pervasive culture of information risk management.
Does this sound like an IT department issue to you? No, and this particular case isn't unusual. Indeed, it was seen that human errors (and systems glitches) caused nearly two-thirds of data breaches globally in 2012, all of which could have been prevented with a holistic approach to cyber security within the organisation.
Of course, any of the most successful companies are organised along separate lines of business, each of which are often quite independent, with a light corporate centre managing a small number of corporate functions. The problem with cyber security is it's only as effective as its weakest leak. Therefore to ensure cyber resilience the whole company must be marching to the same beat; played to the same standard from the board to the factory floor.
Good cyber security comes from a holistic strategy set by the board and it's a matter of leadership and proactive information governance. All elements of a company must know ‘who, what, why and when' they are to share company information with. This needs a shared corporate understanding as to the threat and risks to different types of information and shared processes for safely handling them while exploiting the information to get as much ‘bang-for-the-buck' from it as they can.
All this will take top-down leadership and board-level commitment if it's to pervade throughout an organisation. It is no good if board members are recklessly using social media, emailing sensitive work to their home accounts, viewing board's papers on the latest insecure ICT, just so as to look good at the next conference they turn up at.
This poor leadership will not inspire cultural change, no matter how hard internal communications try to advertise best practice.
Andrew Fitzmaurice is CEO of Templar Executives