For CISOs operating in today’s cyber environment, the world they face is a difficult and challenged one. Against the imperative to defend their enterprises from increasingly sophisticated and relentless advanced cyber attacks, they must also face the possibility – even the likelihood – that their systems have already been compromised. And that compromise may have been enabled by the failings of their own employees.
The more widely accepted reality that a breach is inevitable, or indeed active, should serve as a huge ‘red alert’ for all CISOs to act now. The big question is how to respond. A critical defence must be a highly aware and enabled workforce that can spot potential cyber incidents and keep the enterprise safe.
First and foremost for any security awareness effort must be effective organisational change that leads to long lasting positive behavioural change.
This calls for an effective, carefully planned programme, with realistic expectations. No organisation should underestimate the time it takes to get this right. While it may run a six- to nine-month security awareness campaign, in reality it takes two years plus to change the culture. Failing to recognise this may compromise how effective its cyber security awareness campaign is, with the full benefits failing to filter through.
The brutal reality is that many such awareness programmes fall woefully short of the mark by being incomplete or poorly managed. Interestingly, the Information Security Forum (ISF) recently released a report where it asked its members about their own approach to security awareness. “Only 41% of Members providing data for this Report rated their awareness programmes as ‘good’ or ‘very good’; the remaining 59% rated their efforts as ‘needing improvement’. Most importantly, none considered their efforts to be ‘excellent’ indicating there is room for improvement for nearly all organisations,” the ISF states.
It is paramount therefore that the business determines from the outset what the right security outcomes are to be. For example:
- What would be different if employees put security first?
- What behaviours would or would not exist?
- How would those behaviours be tested?
- How does the business articulate its security expectations of employees?
- How does the business use positive reinforcement for secure behaviours?
Equally crucial is that the metrics used to measure secure behaviours are properly assessed, in order to understand to what extent they really do indicate secure behaviours – rather than simply awareness of policy. Also, unless all stakeholders actually buy into the metrics being used, and are able to deal with the changes expected as improvements are made, behavioural change on the scale envisaged will not be achieved.
TRAINING: A VITAL FACTOR
What about training? What role should it have in explaining the impact of information risk decisions to the organisation as a whole? A vital one, is the answer. And not just in the classroom. Organisations need to align security awareness training to the principal business risks they face at every turn. If the business is an on-line provider, say, or using that medium, training must reinforce everything from ‘Don’t Click It!’ warnings to awareness of the URLs on certificates when making a payment. The majority of organisations don’t do so – and that must change.
Simulating real-world attacks is another key component, delivering as it does an immersive and interactive experience that elevates security awareness to a pitch that traditional security education cannot reach. Symantec’s Security Simulation platform, for example, provides multi-staged attack scenarios, allowing participants to take on the identity of their adversaries to learn their motives, tactics and tools. This enables participants to assess their game performance and provides structured guidance for future skills development. It also allows security leaders to strengthen their team by providing insight into individual and collective performance, visibility of functional gaps within the team and the option of performing pre-hire skill assessments.
Live-fire simulation helps to create an organisation that is constantly advancing its skills in forensics, ethical hacking and other mechanisms to combat and ward off advanced targeted attacks. To the well-known dictum, ‘Know thy enemy’, cyber security awareness advocates might add: ‘…without them getting too close to you’.
Your people are your greatest strength but also, potentially, your greatest weakness. Effective cultural change to enable cyber awareness as part of the organisations DNA not only is good practice, it is one of the most effective things organisations can do to lower the enterprises risk from cyber threats.