Best practices in Cybersecurity: Combating the human vulnerability. An Interview with our CEO, Emmit McHenry

The world of Cybersecurity revolves around the experts who are dedicated to providing the best-in-class security solutions for their clients. Emmit McHenry, Chairman, and CEO of Cycurion is a seasoned veteran and renowned for his technology ventures. We had the opportunity to sit down with Emmit and discuss how cybersecurity can be improved at the corporate level, best practices to follow, and how educating your staff is the best way to protect your company.

 

Q: We’d like to discuss your overall view on National Security in the context of how cybersecurity should be addressed in the corporate boardroom.

Emmit McHenry (EM):  As practitioners of the art of cybersecurity, we all tend to focus on the tools and the technology of the craft – after all, our passion is often steeped in the technology that enhances our capability to defend our client-partners, while pushing the boundary of the state of the art.- However the tools are not THE solution. The solution starts with our people; it starts with our policies, our processes, how we communicate, and how we follow protocols, and the tools surround that.  However, we could have all of the tools in the world, but without people practicing the appropriate behavior for security, the tools alone are not going to solve all of our problems.

 

Q: How do you describe where the responsibility rests when implementing strong and effective solutions in cybersecurity?

EM: Effective cybersecurity revolves around two concepts: How we manage our day-to-day practices, and how the message of good security hygiene is reinforced. Security is everybody’s responsibility, it’s not just the folks that develop and manage the tools. Though we will always want the best tools we can find or develop, even the best tools will be weakened by human behavior.

As an executive, or as a manager of a company, you have got to communicate the corporate vision and create a culture of security awareness – and that will govern the practices; your people need to have a sense of ownership for corporate security. If they do that (follow the best practices) then they will individually be secure as well.

 

Q: How do we communicate to corporate leadership the importance of human behavior and how it relates to creating a more secure environment?

EM: It starts with leadership in the C Suite – and this is important. Following the Target incident several years ago both senior management and board of directors were focus on preventing breaches. That moment and heightened awareness lead to changes in many organizations where the board looked to the CEO as the responsible person.

Of course, we have technology folks who will reinforce the need for a culture of strong security behaviors, who will give feedback, and who will monitor human behavior, but it has to be part of the corporate culture, and that culture has to be a bottoms-up top-down commitment. I know board members are constantly inundated with the latest “this” in terms of strategies or security products and are thinking about cybersecurity so at the board level that’s a big deal.

We have to carry the message around policy and policy development that embodies security awareness and security practice.

 

Q:  So how do we educate senior management? It seems as though if they are creating the culture, then security has to be at the core of how they look at the world. How do you educate those folks, so that they create an environment for any organization to really view security as one of the key pillars to move the business forward?

EM: I think that the security executive needs to establish a dialogue with the CEO. They need to spend time briefing the CEO on practices around the policy framework and the importance of following internal cybersecurity protocols. The CEO has to periodically send messages throughout the management structure that everyone in the company is responsible for the company’s security.

Certainly, the company has invested money, they’ve invested in people and the best tools in the marketplace, but their weakest link is found in human behavior.  The weakest link is often the person who is coming online day-to-day not adhering to the security protocols that are in place. Now that so many people are working from home, and significantly more will continue to work from home, we need to be very sensitive to these vulnerabilities and the best practices to remediate these vulnerabilities. For example, multi-factor authentication for access, in point encryption, etc.

So as board members review financial results and are talking about the latest market moves, there must also be an equally important conversation about the organization’s cyber security readiness. Including this conversation as a normal part of the agenda, may signal to all stakeholders that cybersecurity is an important component, and all risks need to be regularly considered and evaluated. Doing so will also bolster the importance of cybersecurity best practices throughout the organization and will enhance the growth of the cybersecurity culture!

 

Q: What is your best advice to anyone seeking to reinforce their cybersecurity?

EM:  You need to invest in tools and people. Let’s start first by investing in people and education. The tools will follow. Developing a cybersecurity program with a multi-year outlook with sufficient resources to execute the required activities is the goal. This entails a firm commitment and senior management investment in security tools available to mitigate the known security risks, and most importantly, invest in training and educating your people.