Real Answers to Common Questions on Cybersecurity

by NAVEX Global

[author: Pamela Passman, President and CEO, CREATe Compliance]

Q:  In my company, the IT directors see cybersecurity as an IT and software issue to be solved with software and hardware. How do I convince the team that employees need to also be trained on risky behavior – something that software and hardware cannot accomplish?

Cybersecurity is a people, process and technology issue

A: Cybersecurity is a people, process and technology issue. So it’s critical that there are policies and procedures in place to help manage and mitigate cyber risks. This involves ensuring that employees are aware of the policies, are implementing the procedures and are engaged in monitoring, and any kind of corrective action that’s needed. To do this successfully, you really have to make your employees aware of the risks, educate them on their role in mitigating them, and train them on best practices to ensure they are not contributing to risk but in fact mitigating it.

Q: When providing cyber training for your organization, should it be approached differently than other training topics in regard to frequency and duration?

A: First of all, cybersecurity training is such a critical issue for all employees that it should be integrated into the initial onboarding training that all employees receive. There should also be annual training that provides employees with a deeper level of understanding. Cyber threats evolve very quickly these days, so it is critically important that your employees (and board members) are kept informed of evolving threats throughout the year. While the majority of methods to entry into your system are understood, when new types of threats emerge, we advise keeping your stakeholders informed as quickly as possible. With this rapidly evolving landscape in mind, we recommend burst training segments designed to keep key concepts and practices top-of-mind throughout the year. Information reinforcement techniques like short quizzes, awareness posters around the office and email communications also help employees recall their cybersecurity knowledge before it is tested by a real cyber threat.

Training Course: Anytime Anywhere: Mobile Computing

Q: In an enterprise-wide cybersecurity approach, what should be the role of the compliance team?

Along with identifying third-party risks, the compliance function is equipped to develop and deploy training and awareness building for employees and key third parties alike.

A: There are a few ways to go about answering this, but I think it all starts with having the ability to perform an effective risk assessment. The compliance function involves a cross-organizational approach and has the capabilities to truly identify a company’s greatest risk by developing its risk profile. After identifying and prioritizing risks, the compliance team can lead the effort in developing policies and procedures, documenting policies and procedures, and ensuring those policies and procedures are understood by a broad employee base. The compliance team understands where policies need to be quantified, where they have to be placed, and how to use codes of conduct, employee handbooks and web-based resources to disseminate that information.

Compliance folks also understand how to view cybersecurity risk through the lens of third parties and interpret how those relationships impact the company’s risk profile. Along with identifying third-party risks, the compliance function is equipped to develop and deploy training and awareness building for employees and key third parties alike. So there is a lot that the compliance group offers to bolster an enterprise-wide cybersecurity approach, and it all drives back to the department’s unique ability to create systematic ways of identifying when something doesn’t work and defining the corrective action that’s needed in response.

Q: Can you offer any advice on how to build the best case for getting more corporate resources dedicated to cybersecurity training?

A: Every day there is something in the news about organizations generally of all different sizes that have been breached and have had to deal with the impact of the loss, compromise or destruction of data. Making key decision-makers aware of the general threat landscape is helpful, but more helpful is making them aware of the threat landscape specific to your organization. It’s also key to help your colleagues understand any regulatory requirements that your organization faces in terms of government procurement, sector-specific regulations – that continue to evolve at the federal and state levels in the U.S. and around the world – or contractual or other undertakings that could require that certain information security capabilities be implemented in your company.

All of this provides context for articulating the potential financial, business and reputational impact of a cyber breach, and making threats real and relevant to your company and your sector.

Read More: Compliance Role in Mitigating Cyber Mayhem

Q: Cybersecurity is no longer a new risk, however the idea of approaching it with cross-functional engagement and shared departmental responsibility is still fairly new. Is there any guidance you can provide to identify who should be engaged?

In short, a better question would be, which departments do not need to be involved? The answer to that is none.

A: First and foremost, it is important to emphasize that cybersecurity is an enterprise-wide risk usually involving all your business units, all your operational units, all your employees and all your key third parties. By its nature, it requires a cross-functional approach. Key players would be IT, Security, Legal, Compliance, HR, Operations, Procurement or your supply chain and customer support. Specifically for customer support – if your network is compromised or customer data is compromised, you are going to need a way to communicate to your customers and for your customers to contact your organization. Public relations and communications are also key. Those teams need to be able to articulate the company’s approach to cybersecurity and, should there be a breach, they will be key in helping the company communicate what’s happening and what it is doing to respond to it.

In short, a better question would be, which departments do not need to be involved? The answer to that is none.

Q: What is the biggest new threat currently facing organizations in regard to cybersecurity?

A: There are a number of new threats that come to mind, but there are also a number of threats that are manifesting themselves in new ways. To this point, ransomware is a new variation of an old threat. Stealing information has always been a threat, but now bad actors are holding this information until receiving a ransom, or threating to share the information publicly if a ransom is not received. In some cases, the biggest threat is the complete destruction of information, or just as threatening, the manipulation or corruption of that data – in essence destroying it.

Mobile usage is accentuating threats as well. Individuals are now managing a growing number of devices. A lot of sensitive information is now being managed remotely, with increasing access points. We are using the same mobile phone to change the temperature in our homes, access our corporate networks, or do our online shopping. There are just so many more connection points today to protect – and varying security controls on each access point. 

On Demand Webinar: Cyber Security and Insider Threats: Turning Policies into Procedures

View original article at Ethics & Compliance MattersTM

Written by:

NAVEX Global

NAVEX Global on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.