Now that the Thanksgiving holiday is behind us in the United States, most in enterprise security look toward the coming year.

There is no shortage of challenges facing CSOs and CISOs. As we rapidly bring 2016 to a close and look ahead at 2017, there are two questions that perhaps are the most frequently asked. The first is, what can I do in 2017 to get the biggest bang for my buck? The second question is what will be my biggest challenge in 2017?  Those are two tough questions, and we struggle year after year addressing these two issues. Even though these questions have been asked in the past, this time it is different. This time, the answer to both questions is the same! So by addressing the biggest challenge in 2017, you get twice the bang for the buck. 

We have all seen cybersecurity tools and techniques continuously improved and made our parameter much more secure than they have been in years past. We have made great strides hardening our parameters. Give that reality, cyber attackers have shifted more of their attention to attacking today’s weakest link: the workforce and your cybersecurity staff.  The answer may be to harden your workforce. Traditionally, hardening is a term and technique that has been applied to hardware, software and systems. Today, it is different: it means hardening the human aspect of the cybersecurity issue.

The need to harden the workforce is shared by Gen. Gregory Touhill, the first U.S. Chief Information Security Officer, Office of Management and Budget.

He notes that CSOs and CISOs should partner with their HR department and their internal training department to develop a program (NOT JUST TRAINING) to promote positive workforce cybersecurity behaviors. The more that employees know about all attack techniques, the more they can protect themselves and their family members. 

One innovative approach to this concept was a contest for the reporting of phishing emails, where the first employee to report a phishing email scheme is entered into a monthly drawing for a $25 Starbucks card or similar. After that, the individual that was first to warn of the largest phishing attack experienced that year by the organization gets dinner for two at a local hot-spot. Get creative!!!

Hardening of the workforce requires time, training and ongoing reinforcement of the critical role they play in protecting the assets of their organization from cyberattacks. If internal and external customer services is always job #1; job #2 has to be protecting customers (internal and external) as well as your employer from the devastation that all too frequently accompanies successful phishing attempts and cyberattacks. You have to get and retain  attention and keep cybersecurity in the front of the workforce’s minds as they go about their jobs. That will be not only your biggest challenge, but a challenge that is unending and requires innovation, creativity and continuous attention. 

Your hardening efforts do not stop and end with the workforce. Reducing the attack surface area and reinforcing the remaining surface area are also essential, given the current and projected cyber threat environment for 2017 and beyond.