Dr. Dave Chatterjee is a Visiting Professor at Pratt School of Engineering, Duke University, where he is teaching the Cybersecurity Program Development Operations and Analysis class in the Master of Engineering Program in Cybersecurity. He is also a tenured Professor at the Terry College of Business, The University of Georgia.
When an organization gets hacked, who is the most vulnerable?
The answer is a no-brainer. It’s the employees not in IT or security who are the most vulnerable. So how can we train these people to understand security concepts better? And how do we make it simple enough to understand so that it is accessible to the general population and non-technical employees in your organization?
In this blog, I’ll share highlights from our discussion and advice on how to achieve cybersecurity readiness across your organization.
Cybersecurity Education Goes Mainstream
Start by engaging in security conversations with people in a non-technical but pragmatic manner. We need to stop or limit the use of acronyms when communicating with people who are unfamiliar with this domain.
Many people don’t have a formal technology education. Instead, they learn these practical skills on the job or through other circumstances. In many cases, they’re fast learners and sometimes even more adaptable and flexible compared to those who do have a formal education. My point is, someone who doesn’t have any expertise in cybersecurity readiness can still learn and understand cybersecurity education.
Training needs to start at a peer-to-peer level. People who are trained in cybersecurity can train others by engaging in simple discussions, providing small tips here and there, showing them the potential points of vulnerability, and discussing what they should and should not be doing. It's a matter of recognizing the need and providing the resources to others in the organization, creating a cascading effect.
Cybersecurity readiness and education also need to begin much earlier in life. Kids three to five years old are now using the internet and they need to be aware of what are the do's and don'ts – and the consequences. We need to start at that age group and slowly advance the level of readiness.
Media and entertainment are great avenues for popularizing cybersecurity education, whether that is through movies, television series, or even Broadway shows. People like movie producers and scriptwriters can always find ways to instill cybersecurity hygiene and cybersecurity discipline in the audience.
Cybersecurity training exists today, but we need to go beyond that. Training needs to be customized, personalized, continuous, and it should be interactive and gamified. We need to incorporate continuous assessments in our training to better understand how effective the training is in enhancing people's level of cybersecurity readiness.
Organization-wide Accountability in Governance is More Important Than Ever
There is a lot of guidance and tools out there to help organizations monitor threats. But here's the problem: Not all organizations do a great job of properly logging, reviewing, and acting on the intelligence received. That's where having robust processes and established governance mechanisms can make a difference.
The most critical success factors in cybersecurity governance are dependent on the level of commitment from the leadership team. As mentioned earlier, cybersecurity readiness is everyone's business, it’s not just a technical issue.
I believe there needs to be an organization-wide effort to create and sustain a “We are in it together” culture in governance. To be able to build that culture and sustain it, organizations need to factor in joint ownership and accountability.
It's not enough to expect the Chief Information Security Officer (CISO) to take ownership of all that is cyber in the organization. Every department must take responsibility and get involved.
The CISO Role Must Be Collaborative
If you hire a CISO, you should enable them to be successful. To do that, it is important to make the CISO function as collaborative as possible. Ensure that the CISO has direct reporting opportunities, whether that is at the level of the CEO, President's level, or an external group. The CISO should not operate in a silo.
We need to be proactive and substantive, and we – senior leadership – must be genuine about our desire to shore up our defenses. They are going to be the ones who hold the key to creating a formalized roadmap that will drive the security culture in the organization.
Development and Security Alignment
It’s not uncommon to receive pushback from senior leadership or top management about the need to do more cybersecurity training because they would rather devote resources to prioritize the development of a product or service.
The development team is incentivized to get the product out as quickly as possible whereas the security team leads quality control, making sure that the product is secure before it goes out.
The development team often sees the security team as an impediment to their goals, but their goals need to be aligned. They should be working together in cohesion as one team. To do that, management needs to communicate this approach, recognize that they will support this approach, and provide the necessary budget.
Cybersecurity Professionals Must Take on New Challenges
There is an ever-growing concern about the catastrophic consequences of ignoring or being unprepared for cyber threats. To raise the overall level of cybersecurity readiness, we’ll need to incorporate holistic training in our cybersecurity curriculum.
The holistic approach will equip teams with both the business and technical acumen to handle the business critical vulnerabilities of the company. These skills will enable them seamlessly to transition from a technical position to a managerial position, and eventually the CISO of the organization.
Celebrate Failures
Failure is not a bad thing. In fact, I think it's very important to fail. You fail when you're trying to go beyond suggested specifications or when you're trying to create something new. It’s an important mindset and skill to have because failure is one of the many features that define cybersecurity innovation.
If people are scared to try something new, they would stop innovating. Can you imagine in the world of cybersecurity, when hackers are coming up with something new every couple of hours, what happens to the cybersecurity defense teams if they don’t keep up? The importance of stimulating and supporting innovation is key.
Final Words
Cybersecurity deserves the same level of attention as the rest of the business. After all, security is everyone’s business. We are all part of the solution, and we can all fall victim to a cyberattack. So, let’s do something about it. Making cybersecurity more approachable, incorporating organizational-wide accountability, and encouraging innovation are all great areas to begin. From the CISO to the new intern, every employee plays a part in your organization’s cybersecurity readiness.
*This blog was co-written by Kia Lor, NetSPI Content and Social Media Specialist, based on the Agent of Influence podcast episode featuring Dave Chatterjee.
When an organization gets hacked, who is the most vulnerable?
The answer is a no-brainer. It’s the employees not in IT or security who are the most vulnerable. So how can we train these people to understand security concepts better? And how do we make it simple enough to understand so that it is accessible to the general population and non-technical employees in your organization?
In this blog, I’ll share highlights from our discussion and advice on how to achieve cybersecurity readiness across your organization.
Cybersecurity Education Goes Mainstream
Start by engaging in security conversations with people in a non-technical but pragmatic manner. We need to stop or limit the use of acronyms when communicating with people who are unfamiliar with this domain.
Many people don’t have a formal technology education. Instead, they learn these practical skills on the job or through other circumstances. In many cases, they’re fast learners and sometimes even more adaptable and flexible compared to those who do have a formal education. My point is, someone who doesn’t have any expertise in cybersecurity readiness can still learn and understand cybersecurity education.
Training needs to start at a peer-to-peer level. People who are trained in cybersecurity can train others by engaging in simple discussions, providing small tips here and there, showing them the potential points of vulnerability, and discussing what they should and should not be doing. It's a matter of recognizing the need and providing the resources to others in the organization, creating a cascading effect.
Cybersecurity readiness and education also need to begin much earlier in life. Kids three to five years old are now using the internet and they need to be aware of what are the do's and don'ts – and the consequences. We need to start at that age group and slowly advance the level of readiness.
Media and entertainment are great avenues for popularizing cybersecurity education, whether that is through movies, television series, or even Broadway shows. People like movie producers and scriptwriters can always find ways to instill cybersecurity hygiene and cybersecurity discipline in the audience.
Cybersecurity training exists today, but we need to go beyond that. Training needs to be customized, personalized, continuous, and it should be interactive and gamified. We need to incorporate continuous assessments in our training to better understand how effective the training is in enhancing people's level of cybersecurity readiness.
Organization-wide Accountability in Governance is More Important Than Ever
There is a lot of guidance and tools out there to help organizations monitor threats. But here's the problem: Not all organizations do a great job of properly logging, reviewing, and acting on the intelligence received. That's where having robust processes and established governance mechanisms can make a difference.
The most critical success factors in cybersecurity governance are dependent on the level of commitment from the leadership team. As mentioned earlier, cybersecurity readiness is everyone's business, it’s not just a technical issue.
I believe there needs to be an organization-wide effort to create and sustain a “We are in it together” culture in governance. To be able to build that culture and sustain it, organizations need to factor in joint ownership and accountability.
It's not enough to expect the Chief Information Security Officer (CISO) to take ownership of all that is cyber in the organization. Every department must take responsibility and get involved.
The CISO Role Must Be Collaborative
If you hire a CISO, you should enable them to be successful. To do that, it is important to make the CISO function as collaborative as possible. Ensure that the CISO has direct reporting opportunities, whether that is at the level of the CEO, President's level, or an external group. The CISO should not operate in a silo.
We need to be proactive and substantive, and we – senior leadership – must be genuine about our desire to shore up our defenses. They are going to be the ones who hold the key to creating a formalized roadmap that will drive the security culture in the organization.
Development and Security Alignment
It’s not uncommon to receive pushback from senior leadership or top management about the need to do more cybersecurity training because they would rather devote resources to prioritize the development of a product or service.
The development team is incentivized to get the product out as quickly as possible whereas the security team leads quality control, making sure that the product is secure before it goes out.
The development team often sees the security team as an impediment to their goals, but their goals need to be aligned. They should be working together in cohesion as one team. To do that, management needs to communicate this approach, recognize that they will support this approach, and provide the necessary budget.
Cybersecurity Professionals Must Take on New Challenges
There is an ever-growing concern about the catastrophic consequences of ignoring or being unprepared for cyber threats. To raise the overall level of cybersecurity readiness, we’ll need to incorporate holistic training in our cybersecurity curriculum.
The holistic approach will equip teams with both the business and technical acumen to handle the business critical vulnerabilities of the company. These skills will enable them seamlessly to transition from a technical position to a managerial position, and eventually the CISO of the organization.
Celebrate Failures
Failure is not a bad thing. In fact, I think it's very important to fail. You fail when you're trying to go beyond suggested specifications or when you're trying to create something new. It’s an important mindset and skill to have because failure is one of the many features that define cybersecurity innovation.
If people are scared to try something new, they would stop innovating. Can you imagine in the world of cybersecurity, when hackers are coming up with something new every couple of hours, what happens to the cybersecurity defense teams if they don’t keep up? The importance of stimulating and supporting innovation is key.
Final Words
Cybersecurity deserves the same level of attention as the rest of the business. After all, security is everyone’s business. We are all part of the solution, and we can all fall victim to a cyberattack. So, let’s do something about it. Making cybersecurity more approachable, incorporating organizational-wide accountability, and encouraging innovation are all great areas to begin. From the CISO to the new intern, every employee plays a part in your organization’s cybersecurity readiness.
*This blog was co-written by Kia Lor, NetSPI Content and Social Media Specialist, based on the Agent of Influence podcast episode featuring Dave Chatterjee.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Test
test.com
Testing
7 days
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.
