What do the words and advice of a former, highly successful CEO of IBM have in common with sound password management? The answer is surprising.
Lou Gerstner, who propelled IBM to nearly 10 years of non-stop growth and prosperity, has a poignant message for top executives at all companies. When it comes to establishing corporate culture, look at what your actions tell your employees.
As Gerstner says, “People do not do what you expect, but what you inspect.” In other words, senior execs have to walk the walk and talk the talk to get others to follow.
That is certainly the case when it comes to password management. One high-level security consultant tells a story of a recent engagement with a company on which he performed a security audit. The audit uncovered several major security flaws, including poor password management. The consultant was to present the findings to the senior staff, not one day after its CEO had delivered a presentation at a local security conference. All senior staff were present – except for the CEO, who gave no reason for his absence.
“So what’s the message here to the rest of the company execs,” the consultant asks? “It wasn’t a message you’d want the rest of the employees to embrace regarding security!”
Brian Sprang is CIO at Quest Federal Credit Union, where employees have registered a 97% adoption rate for their comprehensive password management solution. Speaking of Quest’s senior managers, Sprang says, “They are proponents of the use of good password security and the tools we’ve provided. All of our executives have been vocal in the use of the tool and understand the vital importance of password security to our daily duties to protect our assets and member personally identifiable financial information.”
So just what should be the role of the top executives with respect to password management? It should be something like this.
Be the chief torchbearer of the message that password security is not an IT problem.
A broad belief that IT will ‘take care of all security’ flies in the face of overwhelming evidence that people, not technology, are the front line of defense against cyber attacks. Whether it is through memos, live at company meetings, via Webcasting or other means, top executives must articulate that password security is the responsibility of each individual. That is the kind of message that conveys both responsibility as well as accountability.
Actively practice what you preach.
As a senior executive, demonstrate your ‘street cred’ when it comes to password security by articulating the steps you have taken to ensure your password isn’t compromised. The simpler the message the better, because password management today isn’t complicated. Let it be known you don’t use the same password for multiple accounts, and that you leverage a password management solution to routinely change passwords.
Stress the value of continuing education about password protection.
As with all cyber security measures, executives should personally issue calls to action encouraging continuing education and training about password security. While these sessions can be led by IT, they don’t have to be. In fact the impact of a training Webcast led by the senior executive can be very effective in elevating employee awareness of the need for password protection. As Sprang notes of the efforts of Quest’s executive team to continuously promote better password management, “I’ve relayed the reports and findings to staff members in my training documents and all staff meeting notes and highlighted the issues regarding weak password and poor password security habits.”
Arm yourself with statistics and knowledge of the cyber security environment.
These training sessions above are great places to talk about recent cyber attacks and their corresponding negative impact on the organization. Most individuals read about the headlines of major attacks against mega-organizations. But with the help of research, such as this excellent report specifically about the cyber security challenge in the SMB, crime statistics and the impact of cybercrime become a lot more personal. As you will see, this unique report details that passwords are widely held to be an essential piece of the security puzzle. But at the same time, the report shows that 60% of SMB employees use the same password for everything! Snippets such as these doled out by senior executives can be very compelling. At Quest, Sprang says, “I have stressed the use of unique, non-repeating, highly randomized, and maximum length passwords as vital to our security and our member data security.”
If cyber security is mission critical – and it is – then creating a culture of information security is among the most important roles executives can fulfill. And there is no substitution for leading by clear, unambiguous example.