Cybersecurity and Company Culture

23
January 2017 Sustainably Engaged: Cybersecurity and Company Culture © 2017 Willis Towers Watson. All rights reserved.

Transcript of Cybersecurity and Company Culture

Page 1: Cybersecurity and Company Culture

January 2017

Sustainably Engaged: Cybersecurity and

Company Culture

© 2017 Willis Towers Watson. All rights reserved.

Page 2: Cybersecurity and Company Culture

2

The business

impact

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

Agenda

The current cyber risk threat environment

Diagnosing culture for cyber risk

Moving to action to mitigate risk

Page 3: Cybersecurity and Company Culture

The Current Cyber Risk Threat

Environment

3

Page 4: Cybersecurity and Company Culture

The threat environment: By the numbers

Million personal

records breached in

2016 alone

The percentage of cyber

incidents occurring from a

Denial of Service per Verizon

2016 Data Breach

Investigation Report.

Median # of days

from first evidence of

compromise and

discovery of

compromise

The percentage of

compromises

detected by an

external entity

The percentage of

data disclosure in the

finance industry due to

web apps (82% of

these incidents had

confirmed data loss)

34%

554 205

69% 48%

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 4

The percentage of cyber

claims related to employee

driven incidents per Willis

Towers Watson 2016 data.

69%Number of prior year security

incidents per Risk Based

Security 2015 Data Breach

trends Report

3,930

Page 5: Cybersecurity and Company Culture

5© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

The threat environment: Major sources of cyber breaches

Cloud or 3rd party

compromise

Malicious insider

Hacktivists Criminal hackers

Negligent

insider

Page 6: Cybersecurity and Company Culture

Willis Towers Watson Cyber Claims Data

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 6

Page 7: Cybersecurity and Company Culture

Willis Towers Watson Claims Data

7© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

Page 8: Cybersecurity and Company Culture

Diagnosing Culture for Cyber Risk

8

Page 9: Cybersecurity and Company Culture

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 9

Employee research on the human behavior element

• A laser-sharp focus on customers and responsiveness to their needs

• A strong company image fostered among employees to show commitment to social responsibility

• Comprehensive training, especially among IT staffers, to understand jobs thoroughly

Findings suggest that environments experiencing data

breaches may lack:

Organizations identified as experiencing data security breaches overlap with Willis Towers

Watson’s database of results from employee surveys

12 organizations with breaches also have employee survey data available

Using those surveys, two sets of comparisons are examined:

Global opinion scores for these 12 companies versus the Willis Towers Watson Global High

Performance Norm – a benchmark of 28 companies with consistently above-sector average financial

results over three years

Opinion results for IT functions within these companies versus the Willis Towers Watson Global IT

Functions norm – a benchmark from only IT workers in 448 companies

Learnings from organizations experiencing cyber breaches

Page 10: Cybersecurity and Company Culture

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 10

Breach companies versus relevant comparison groupsGaps: Breach Companies below

Global High Performance

Supervision

Employee Involvement

Pay for Performance

Employee Engagement

Career Development

Leadership

Customer Focus

Company Image

Training

-4

-5

-7

-7

-8

-8

-10

-10

-14

-20 -10 0 10 20

1

2

-2

2

0

1

2

0

-3

-20 -10 0 10 20

Gaps: IT Employees in Breach Companies versus Global IT Functions

Page 11: Cybersecurity and Company Culture

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 11

Breach companies globally: Customer Focus

Gaps: Breach Companies below Global High Performance

71%

76%

81%

81%

% Favorable

This company is truly customer-oriented

Department actively seeks to understand

customer requirements and expectations

Department gets feedback on how satisfied

customers are with work performed

Breach Companies Overall

Department constantly looks for better ways

to serve customers-8

-10

-12

-9

Page 12: Cybersecurity and Company Culture

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 12

Breach companies globally: Company Image

Gaps: Breach Companies below Global High Performance

72%

77%

79%

85%

% Favorable

This company is socially responsible in the

community

This company operates with integrity in its

external dealings

(with customers, suppliers, etc.)

This company is highly regarded by its

customers

Breach Companies Overall

This organization is an environmentally

responsible company-3

-9

-9

-19

Page 13: Cybersecurity and Company Culture

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 13

Breach companies IT functions: Training

Gaps: Breach Companies below Global IT Functions

51%

60%

74%

% Favorable

Training received has adequately prepared

me for work I do

Employees new to my department receive

adequate job training

Breach Companies IT Functions

Have been well trained to deal effectively with

customers/clients -2

-7

-13

Page 14: Cybersecurity and Company Culture

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 14

Creating a learning environment for ITDifferentiators of strong versus weak learning environments among global IT staff

Item Differentiator

Gap: Top vs.

Bottom

Quartile

Percent Favorable by

Learning Environment

Quartile

Top QuartileBottom

Quartile

Organization acts on employee ideas 75 88 13

Senior leaders interested in employee

wellbeing74 89 15

Trust & confidence in senior leaders 73 94 21

Clear link between performance & pay 69 91 22

Involving employees in decision making 76 89 13

Believe in information from senior leaders 71 94 23

Organization seeks employee suggestions 70 88 18

Leaders behave consistently with company

values68 93 25

High performers are well rewarded 67 93 26

Enough staff to get job done well 62 90 28

The 2016 Global Workforce Study is used to segment IT workers based on opinions of

learning environment (access to effective training & strong personal development)

Strong learning

environments are

places where

companies and

leaders:

Value employee input

Take performance

seriously and reward

superior effort

Model the values and

concern for employee

wellbeing

Provide resources (i.e.,

staffing) to create time

and space for learning

Page 15: Cybersecurity and Company Culture

Moving to Action

15

Page 16: Cybersecurity and Company Culture

Content model for cyber risk culture survey: Awareness & action

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 16

IND

IVID

UA

L’S

RO

LE

:O

RG

AN

IZA

TIO

N’S

RO

LE

:

AWARENESS ACTION

FOCUS:

Organizational emphasis

Customer orientation

Structure & accountabilities

Incentives

CONFIDENCE:

Training

Understanding

Process clarity

Personal responsibility

DELIVERY:

Role modeling

Learning

Communicating

Resolving

RESPONSE:

Vigilance & voice

Right behaviors

Engaged action

Page 17: Cybersecurity and Company Culture

17

The most comprehensive

quantification of cyber risk

Frequency and severity of both

privacy breaches and network

outage

Provides insight into the

metrics that drive

cyber/network outage risk

Provides decision support to

drive insurance purchase

strategy and evaluation of

specific options

Sensitivity testing promotes a

better understanding of risk

and how the exposure profile

should be presented to the

insurance marketplace

Concise and impactful output

for communication with internal

stakeholders

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

Quantifying cyber risk

Page 18: Cybersecurity and Company Culture

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 18

Case Study: Cyber Security Talent Strategy

Business Issues Addressed & Process Overview

With IS roles: Job leveling, reporting relationships, fit of hire to job skills

Within cyber divisions: Frequency of open job requisitions, time to

productivity

Half-day sessions with key leaders to probe management of cyber teams

External market survey to study how cyber-related teams are structured in

the industry and how talent is sourced

Background:

The Board and top leaders of a telecommunications company, realizing that information security is a constantly evolving and increasing threat, hired Willis Towers Watson to ensure the human capital necessary to manage cyber risk is in place and deployed appropriately. In focus was organizational readiness from an effective structure and skilled talent base. Capabilities and skills to address cyber security were evaluated as part of building a workforce strategy to enhance oversight and responsiveness to cyber and information security risk.

Page 19: Cybersecurity and Company Culture

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 19

Business Outcomes

Within a three-month period designed an organizational model to mitigate cyber security risks and enhance talent

effectiveness

Addressed unplanned talent acquisition and default strategies that were building cyber silos within divisions

Identified critical talent gaps, resulting in the reduction of invalid roles for the unit while recognizing skills fit for talent

in place

Defined a work and career model recognizing the unique career paths in the IS discipline

Defined key business drivers and the nature of work within information

security.

Developed a custom

benchmark survey of the industry to

analyze emerging skills

and organization structure and

reporting relationships.

Completed Workforce Plans for each cyber security area,

identifying critical roles and gaps to close.

Modelled the current and target state organization

design, comparing to

market shape/size.

Finalized target state design as

well as key talent

management interventions in recruiting and

career management.

The Talent Strategy Solution:

Case Study: Cyber Security Talent Strategy

Page 20: Cybersecurity and Company Culture

Moving to action: People-related solutions to address cyber risk

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 20

Partnership among key stakeholders (HR, GC, RM, CTO, CPO, etc.)

Implement cybersecurity awareness governance and training

Use incentives tied to training participation and outcomes

Flexible schedule for employees to attend training sessions

For IT staff, given the shortage of qualified candidates in this space, an educational or

certification rewards program

Develop incentives tied to achievement of highest rates of customer satisfaction in client-

facing teams

“Businesses that roll out training programs see an average improvement of 64% in their phishing

email click rates” - Ponemon Report

The Cost of Phishing & Value of Employee Training

Page 21: Cybersecurity and Company Culture

Connecting the dots: Cyber risk management for the future

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 21

Ensure enterprise-wide governance is in place

Assume hackers are already inside

Invest in making your whole workforce cyber-smart

Consider technology one of several lines of defense

Insure for cyber threats you can’t mitigate; and

Allocate enough capital to the right cyber defenses

Risk is a team sport. Responses to cyber risk must be multifaceted – there are a

number of interventions necessary – but none are sufficient on their own. Proactive

risk mitigation will lead to reduced risk overall.

What you should be thinking about

Page 22: Cybersecurity and Company Culture

Anthony Dagostino

Head of Global Cyber Risk

Anthony.Dagostino@willistowerswatso

n.com

Connect with Anthony on LinkedIn

Key contacts

22

Adam Zuckerman

Product Leader, Willis Towers

Watson Employee Engagement

[email protected]

Follow Adam on Twitter

Connect with Adam On LinkedIn

Patrick Kulesa

Global Research Director,

Employee [email protected]

Connect with Patrick on LinkedIn

Adeola Adele

Cyber Thought Lead

[email protected]

Connect with Adeola on LinkedIn

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

https://twitter.com/WTWhr

https://www.linkedin.com/company/willis-towers-watson

Page 23: Cybersecurity and Company Culture

23

For more information…

Willis Towers Watson Cyber Risk

Willis Towers Watson Employee Insights

Willis Towers Watson Employee Engagement Software

Willis Towers Watson HR Software

Sustainably Engaged

© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.