The 'People' Part of Enterprise Cybersecurity Strategies
For many years, enterprise leaders have approached their network and systems defense strategies with a technology-centric focus: They approve of the acquisition of firewalls, anti-malware products and intrusion detection systems, and hire an IT team to oversee it all. Then, they conclude that they’re finished with the subject until they review progress/status in a year or so.
What they’re beginning to discover, however, is that these efforts – while serving a primary role within the strategy – aren’t enough. Cyber criminals are coming up with increasingly sophisticated and effective attack methods. As a result, organizations are “feeling the pain,” and the most recent annual Data Breach Investigations Report (DBIR) from Verizon has documented more than 100,000 incidents and 2,260 confirmed data breaches over the last year.
To respond to the heightened state of vulnerability, leaders must recognize that a fully realized cybersecurity strategy has to focus on a key internal asset – people and culture – as much as, if not more than, technology. CEOs and top executives (including the CIO, the CISO, etc.) should serve as evangelists for the ongoing education and training of the workforce, to institute a top-to-bottom awareness of best practices and prevention in the interest of network and data protection.
We can break down the human part of the equation into two distinct groups – internal users and cybersecurity team members.
With the rise of cloud computing, social media and Bring Your Own Device (BYOD, not to mention Bring Your Own App or BYOA), employees and other internal users are determining which devices and tech tools will support them at work. Unfortunately, due to a lack of awareness (as opposed to any ill-intent), they too often lapse into risky behaviors which hackers target. They share passwords indiscriminately. They leave laptops open in plain view at a coffee shop. They call up an industry-related forum, then click on links sent by potentially suspicious parties.
To reduce or even eliminate such incidents, senior executives need to stress the urgency for user training at all levels of their organizations, within all departments. Sessions should educate participants about appropriate email usage, the latest in social engineering attacks/phishing scams and additional best practices. Interactive methods work best here. You can’t sit staffers in front of an hour-long video and expect them to walk away with an actionable plan that they’ll take back to their desks. Give them something to see, touch and respond to, so they “learn by doing.” Then measure and report upon their progress.
Then, incorporate this training into the daily aspects of corporate life. Establish regular follow-up sessions, instead of a once-a-year, “check the boxes” tutorial, and urge everyone to “join the discussion” about cybersecurity, just as they routinely talk about business developments. When threat identification emerges as part of your culture, users are constantly examining whether their teams are moving the bar forward for complete awareness – and implementing corrective intervention if they’re not. When new employees join the department, veterans step up as mentors to pass along what they’ve found, and the students become the teachers.
In addition, we encourage business leaders to work with their communities to spread this message, especially at their local schools and colleges. High school students will take computer courses, for example, without any inclusion of cybersecurity within the curriculum. We shouldn’t wait until they enter “the real world” to learn about these topics.
Similarly, cybersecurity team members must undergo constant training, not “one and done” annual sessions, as adversaries change their approaches swiftly. In the (ISC)² 2015 Global Information Security Workforce Study (GISWS) report, we found that 67 percent of information security professionals believed that certifications should be required for staff to build employee competence, and 52 percent said such training elevated their quality of work. Indeed, 58 percent cited security certifications and 45 percent listed continuing education as the top two major contributors to career success.
Let’s emphasize the word “continuing,” here. After all, IT teams are always applying new patches to address new threats. In this sense, we can consider training as a “people patching” initiative, one which merits reoccurring attention throughout the year through formal education, certification and/or training programs.
These efforts are critical because experts aren’t created in just one session. Team members need frequent exposure to the latest technology developments and adversarial tactics to sharpen their knowledge base. The bad guys’ “playbook” is always changing, which means the playbook for cybersecurity must change too. To accommodate individual preferences of team members, there should be a wide variety of teaching formats made available – whether on-site with a live instructor or online.
When you proactively promote an enterprise-wide awareness strategy for everyone – users and tech teams alike – you embed these concepts into every facet of your employees’ day-to-day functions. Data and systems protection no longer seems esoteric. It’s part of a core skillset – just like leadership development, communications and other “soft skills,” and “hard skills” like financial auditing, engineering and software coding.
In other words, it won’t be a “cybersecurity” thing anymore. It will be a business thing. And that’s why it will matter more to your people, for the long haul.