Home Small Business A cultural view of IT security governance in the wake of AIIMS-like cyber-attacks

A cultural view of IT security governance in the wake of AIIMS-like cyber-attacks

0
A cultural view of IT security governance in the wake of AIIMS-like cyber-attacks

The last decade has seen a rapid increase in major (catastrophic) cyber-attacks (e.g., AIIMS cyber-attack, SBI cyber-attack, NotPetya, Colonial Pipeline) executed on organizations handling critical civilian infrastructures around the globe – more so in the post-COVID work-from-home (WFH) age. These infrastructures encompass diverse sectors such as finance, energy, health, retail, transportation etc. Typically, this trend has been the case as most companies (organizations) around the globe tend to focus on awareness (that indeed is increasing) of cyber-security but fail to change (technology-controlling) employee (including the C-suite) behavior (with respect to adopting cyber-security ‘best’ practices) within the organization to an extent that reflects a strong cyber-security posture emanating out of the company. This is because (a) the C-suite in most firms around the globe give (have traditionally given) far greater priority to business productivity and satisfying shareholder interests when compared to cyber-security, and (b) the same C-suites usually do not consider cyber-security to be a pre-requisite to business. 

The irony is that in today’s pervasively digital world, cyber-security is a necessary pre-requisite to enhance business continuity and productivity – a fact that surprisingly bypasses most C-suites in small and medium businesses (SMBs) that comprise approximately 90% of global industries. The current annual cyber-loss market valuation faced by IT/IoT-driven corporations worldwide amounts to greater than a trillion US dollars and rising. In order to really combat the risks of a security breach in an organization – that can directly affect the latter’s market advantage over its competitors, the C-Suite must design, implement, and popularize intra-organization policies that ‘penetrate’ deep through all the organization’s stakeholders’ ‘consciousness’ than just simply raising an awareness. 

Inspired by ancient Indian philosophy, lets take a Vedic and Puranic stance to motivate through simple ‘pearls of wisdom’ (philosophical tales) – for the ease of management practice, the ‘right’ things to do for various stakeholders in the interest of improved organizational cyber-security posture. The hope is that such tale-driven philosophy will strike a chord with the Indian (and hopefully global) managers, the C-Suites, and other employees to take cyber-security more seriously and comply with cyber-security best practices in the increasingly digital world. The entire article is pivoted on first (topic for Part 1 of this article) rationalizing the fact that cyber-security posture is an outcome of necessarily establishing an organizational cyber-security culture – analogous to performing a yagna. I will then detail out five action items (as part of the yagna doables) through a Vedic lens (topics for Parts 2-6 of this article) that can ensure a strong cyber-security culture and will consequently result in much-improved organizational cyber-posture. 

Why is establishing organizational security culture is akin to performing a yagna? 

According to the Rig Veda – the oldest Hindu scripture, the main business venture characterizing any organization is analogous to a yagna. This is a ritual that is initiated by the yajaman (e.g., a CXO) making offerings (e.g., investments, capital) into agni – the fire burning in the altar representing the sacrificial pyre, exclaiming “svaha” – “this of me I offer” (investments, goods, services, business ideas, different types of capital), hoping to please his chosen deity or devata, who will then give him whatever he desires (e.g., return of investment, profit, competitive advantage – all reflective of goddess Lakshmi (‘wealth’)), exclaiming “tathastu”— so it shall be. However, the universality of yagna lies in the fact that every interaction (between any two entities upstream, side-stream, or downstream) in business – be it between investor and entrepreneur, employer and employee, manager and executive, professional and vendor, entrepreneur and partner, seller and buyer, is a yagna

In the context of cyber-security, the offerings represent ‘best’ security culture practices adopted by all members of an organization (e.g., a CTO recommending an organization follows the NIST guidelines, the CISO mandating multi-factor authentication, an employee making effective use of a password manager software, him periodically updating software patches on IoT devices and work laptops/desktops); and Lakshmi represents offering benefits (e.g., lower chances of cyber-attack, high degree of business continuity, lower amount of cyber-losses, increased customer and shareholder faith, increased customer base and profit). As a necessary condition (not sufficient), unless offering (svaha) is sacrificed by a yajaman, the market/cyber-space (devata) does not grant (as tathastu) Lakshmi to walk the way of the yajaman. The key to any yagna is this decision to willingly pour svaha into the fire by a yajaman who works to realize a vision/goal but is not guaranteed of a proportionate number of benefits. In order to build a robust and complying cyber-security culture within any organization and potentially reap the consequent market benefits, we need able decision-makers (the kartas) and complementing decision-followers (the karya-kartas) weaved throughout an organization at all levels of management. 

Through the rest of the article divided into parts (2-6), I will propose the following FIVE necessarily important (but not exhaustive) “action” items for the management in any IT/IoT-driven organization that will significantly improve the latter’s security culture. 

Action #1: C-suites must be enticed to promote security culture as a just cause.

Action #2: Stakeholders apart from the C-suite must be seduced for the just cause.

Action #3: The C-suite must be a bold decision maker on the just security cause.

Action #4: A culture of compliance is a must to improve enterprise security posture. 

Action #5: Plain cyber-security awareness/importance among employees without action is no good. 

Here, we have taken specifically for the purpose of effective management practice, a tale-driven philosophical inspiration behind each of the action items that is ingrained in the popular Indian culture. Our mentioned fables – acting as allegories and borrowed from the ancient Indian Vedas and Puranas, follow the wisdom of the sages to impart executive and managerial cyber-security education via employee behavioral molding through simple and effective tale telling. 



Linkedin


Disclaimer

Views expressed above are the author’s own.



END OF ARTICLE



LEAVE A REPLY

Please enter your comment!
Please enter your name here