Executives and Security. It's Not Personal.
When asked why he robbed banks, Willie Sutton famously responded; "Because that is where the money is.''
Discussing security with executives they often take the idea of phishing attacks and other compromises very personally. This is understandable, but it is rarely personal.
Cyber criminals don't generally target people; they target roles. If you are in a role with greater access to money, data, or influence over others you are a target.
I’m not suggesting anyone like being a target, but I am suggesting they accept it and then act accordingly.
To help executives understand their situation I find it useful to share the most recent data about attacks on people like them, along with an anecdote or two. I also acknowledge the challenges these individuals face based on the demands on their time, the volumes of information they handle, and trying to be highly productive while mobile.
The reality is we need to help senior people understand that good security practices are akin to, if not in fact a fiduciary responsibility.
The more contextual we make educating these individuals, the more likely we can equip them well.
The broad security awareness training we give to the organization is typically not sufficient or effective for executives.
Based on your organization that may mean doing additional sessions specifically for executive teams or conducting one-to-one discussions.
Remember that a key component of security education is context, so you need to determine at what level to engage to create effective context.
Specific other measures can also be effective with executives. These steps may be too costly across the organization and can be somewhat inconvenient; however, if we exercise sound risk management thinking it may make sense to consider treating different people differently.
This may come in the form of types of devices, encryption, multi-factor authentication, password management tools, etc. And of course, as I have mentioned in the past, good business processes and practices are critical. People bypassing controls to be hyper-reactive to requests from what appears to be an executive in one’s organization is something cyber criminals count on consistently. In our role we need to help executives understand their role and why they are targets. And while cyber crime isn't personal we need to protect the assets by educating the person in the role.