cybersecurity and company culture
TRANSCRIPT
January 2017
Sustainably Engaged: Cybersecurity and
Company Culture
© 2017 Willis Towers Watson. All rights reserved.
2
The business
impact
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Agenda
The current cyber risk threat environment
Diagnosing culture for cyber risk
Moving to action to mitigate risk
The Current Cyber Risk Threat
Environment
3
The threat environment: By the numbers
Million personal
records breached in
2016 alone
The percentage of cyber
incidents occurring from a
Denial of Service per Verizon
2016 Data Breach
Investigation Report.
Median # of days
from first evidence of
compromise and
discovery of
compromise
The percentage of
compromises
detected by an
external entity
The percentage of
data disclosure in the
finance industry due to
web apps (82% of
these incidents had
confirmed data loss)
34%
554 205
69% 48%
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 4
The percentage of cyber
claims related to employee
driven incidents per Willis
Towers Watson 2016 data.
69%Number of prior year security
incidents per Risk Based
Security 2015 Data Breach
trends Report
3,930
5© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
The threat environment: Major sources of cyber breaches
Cloud or 3rd party
compromise
Malicious insider
Hacktivists Criminal hackers
Negligent
insider
Willis Towers Watson Cyber Claims Data
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 6
Willis Towers Watson Claims Data
7© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Diagnosing Culture for Cyber Risk
8
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 9
Employee research on the human behavior element
• A laser-sharp focus on customers and responsiveness to their needs
• A strong company image fostered among employees to show commitment to social responsibility
• Comprehensive training, especially among IT staffers, to understand jobs thoroughly
Findings suggest that environments experiencing data
breaches may lack:
Organizations identified as experiencing data security breaches overlap with Willis Towers
Watson’s database of results from employee surveys
12 organizations with breaches also have employee survey data available
Using those surveys, two sets of comparisons are examined:
Global opinion scores for these 12 companies versus the Willis Towers Watson Global High
Performance Norm – a benchmark of 28 companies with consistently above-sector average financial
results over three years
Opinion results for IT functions within these companies versus the Willis Towers Watson Global IT
Functions norm – a benchmark from only IT workers in 448 companies
Learnings from organizations experiencing cyber breaches
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 10
Breach companies versus relevant comparison groupsGaps: Breach Companies below
Global High Performance
Supervision
Employee Involvement
Pay for Performance
Employee Engagement
Career Development
Leadership
Customer Focus
Company Image
Training
-4
-5
-7
-7
-8
-8
-10
-10
-14
-20 -10 0 10 20
1
2
-2
2
0
1
2
0
-3
-20 -10 0 10 20
Gaps: IT Employees in Breach Companies versus Global IT Functions
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 11
Breach companies globally: Customer Focus
Gaps: Breach Companies below Global High Performance
71%
76%
81%
81%
% Favorable
This company is truly customer-oriented
Department actively seeks to understand
customer requirements and expectations
Department gets feedback on how satisfied
customers are with work performed
Breach Companies Overall
Department constantly looks for better ways
to serve customers-8
-10
-12
-9
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 12
Breach companies globally: Company Image
Gaps: Breach Companies below Global High Performance
72%
77%
79%
85%
% Favorable
This company is socially responsible in the
community
This company operates with integrity in its
external dealings
(with customers, suppliers, etc.)
This company is highly regarded by its
customers
Breach Companies Overall
This organization is an environmentally
responsible company-3
-9
-9
-19
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 13
Breach companies IT functions: Training
Gaps: Breach Companies below Global IT Functions
51%
60%
74%
% Favorable
Training received has adequately prepared
me for work I do
Employees new to my department receive
adequate job training
Breach Companies IT Functions
Have been well trained to deal effectively with
customers/clients -2
-7
-13
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 14
Creating a learning environment for ITDifferentiators of strong versus weak learning environments among global IT staff
Item Differentiator
Gap: Top vs.
Bottom
Quartile
Percent Favorable by
Learning Environment
Quartile
Top QuartileBottom
Quartile
Organization acts on employee ideas 75 88 13
Senior leaders interested in employee
wellbeing74 89 15
Trust & confidence in senior leaders 73 94 21
Clear link between performance & pay 69 91 22
Involving employees in decision making 76 89 13
Believe in information from senior leaders 71 94 23
Organization seeks employee suggestions 70 88 18
Leaders behave consistently with company
values68 93 25
High performers are well rewarded 67 93 26
Enough staff to get job done well 62 90 28
The 2016 Global Workforce Study is used to segment IT workers based on opinions of
learning environment (access to effective training & strong personal development)
Strong learning
environments are
places where
companies and
leaders:
Value employee input
Take performance
seriously and reward
superior effort
Model the values and
concern for employee
wellbeing
Provide resources (i.e.,
staffing) to create time
and space for learning
Moving to Action
15
Content model for cyber risk culture survey: Awareness & action
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 16
IND
IVID
UA
L’S
RO
LE
:O
RG
AN
IZA
TIO
N’S
RO
LE
:
AWARENESS ACTION
FOCUS:
Organizational emphasis
Customer orientation
Structure & accountabilities
Incentives
CONFIDENCE:
Training
Understanding
Process clarity
Personal responsibility
DELIVERY:
Role modeling
Learning
Communicating
Resolving
RESPONSE:
Vigilance & voice
Right behaviors
Engaged action
17
The most comprehensive
quantification of cyber risk
Frequency and severity of both
privacy breaches and network
outage
Provides insight into the
metrics that drive
cyber/network outage risk
Provides decision support to
drive insurance purchase
strategy and evaluation of
specific options
Sensitivity testing promotes a
better understanding of risk
and how the exposure profile
should be presented to the
insurance marketplace
Concise and impactful output
for communication with internal
stakeholders
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Quantifying cyber risk
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 18
Case Study: Cyber Security Talent Strategy
Business Issues Addressed & Process Overview
With IS roles: Job leveling, reporting relationships, fit of hire to job skills
Within cyber divisions: Frequency of open job requisitions, time to
productivity
Half-day sessions with key leaders to probe management of cyber teams
External market survey to study how cyber-related teams are structured in
the industry and how talent is sourced
Background:
The Board and top leaders of a telecommunications company, realizing that information security is a constantly evolving and increasing threat, hired Willis Towers Watson to ensure the human capital necessary to manage cyber risk is in place and deployed appropriately. In focus was organizational readiness from an effective structure and skilled talent base. Capabilities and skills to address cyber security were evaluated as part of building a workforce strategy to enhance oversight and responsiveness to cyber and information security risk.
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 19
Business Outcomes
Within a three-month period designed an organizational model to mitigate cyber security risks and enhance talent
effectiveness
Addressed unplanned talent acquisition and default strategies that were building cyber silos within divisions
Identified critical talent gaps, resulting in the reduction of invalid roles for the unit while recognizing skills fit for talent
in place
Defined a work and career model recognizing the unique career paths in the IS discipline
Defined key business drivers and the nature of work within information
security.
Developed a custom
benchmark survey of the industry to
analyze emerging skills
and organization structure and
reporting relationships.
Completed Workforce Plans for each cyber security area,
identifying critical roles and gaps to close.
Modelled the current and target state organization
design, comparing to
market shape/size.
Finalized target state design as
well as key talent
management interventions in recruiting and
career management.
The Talent Strategy Solution:
Case Study: Cyber Security Talent Strategy
Moving to action: People-related solutions to address cyber risk
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 20
Partnership among key stakeholders (HR, GC, RM, CTO, CPO, etc.)
Implement cybersecurity awareness governance and training
Use incentives tied to training participation and outcomes
Flexible schedule for employees to attend training sessions
For IT staff, given the shortage of qualified candidates in this space, an educational or
certification rewards program
Develop incentives tied to achievement of highest rates of customer satisfaction in client-
facing teams
“Businesses that roll out training programs see an average improvement of 64% in their phishing
email click rates” - Ponemon Report
The Cost of Phishing & Value of Employee Training
Connecting the dots: Cyber risk management for the future
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 21
Ensure enterprise-wide governance is in place
Assume hackers are already inside
Invest in making your whole workforce cyber-smart
Consider technology one of several lines of defense
Insure for cyber threats you can’t mitigate; and
Allocate enough capital to the right cyber defenses
Risk is a team sport. Responses to cyber risk must be multifaceted – there are a
number of interventions necessary – but none are sufficient on their own. Proactive
risk mitigation will lead to reduced risk overall.
What you should be thinking about
Anthony Dagostino
Head of Global Cyber Risk
Anthony.Dagostino@willistowerswatso
n.com
Connect with Anthony on LinkedIn
Key contacts
22
Adam Zuckerman
Product Leader, Willis Towers
Watson Employee Engagement
Follow Adam on Twitter
Connect with Adam On LinkedIn
Patrick Kulesa
Global Research Director,
Employee [email protected]
Connect with Patrick on LinkedIn
Adeola Adele
Cyber Thought Lead
Connect with Adeola on LinkedIn
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
https://twitter.com/WTWhr
https://www.linkedin.com/company/willis-towers-watson
23
For more information…
Willis Towers Watson Cyber Risk
Willis Towers Watson Employee Insights
Willis Towers Watson Employee Engagement Software
Willis Towers Watson HR Software
Sustainably Engaged
© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.