When an organization gets hacked, who is the most vulnerable?
The answer is a no-brainer. It’s the employees not in IT or security who are the most vulnerable. So how can we train these people to understand security concepts better? And how do we make it simple enough to understand so that it is accessible to the general population and non-technical employees in your organization?
Cybersecurity readiness depends on all of us, not only security professionals with technical acumen. I recently joined NetSPI managing director Nabil Hannan on the Agent of Influence podcast to discuss this very topic and share highlights from my book, Cybersecurity Readiness: A Holistic and High-Performance Approach. I discuss this, and similar content, on The Cybersecurity Readiness Podcast.
In this blog, I’ll share highlights from our discussion and advice on how to achieve cybersecurity readiness across your organization.
Cybersecurity Education Goes Mainstream
Start by engaging in security conversations with people in a non-technical but pragmatic manner. We need to stop or limit the use of acronyms when communicating with people who are unfamiliar with this domain.
Many people don’t have a formal technology education. Instead, they learn these practical skills on the job or through other circumstances. In many cases, they’re fast learners and sometimes even more adaptable and flexible compared to those who do have a formal education. My point is, someone who doesn’t have any expertise in cybersecurity readiness can still learn and understand cybersecurity education.
Training needs to start at a peer-to-peer level. People who are trained in cybersecurity can train others by engaging in simple discussions, providing small tips here and there, showing them the potential points of vulnerability, and discussing what they should and should not be doing. It’s a matter of recognizing the need and providing the resources to others in the organization, creating a cascading effect.
Cybersecurity readiness and education also need to begin much earlier in life. Kids three to five years old are now using the internet and they need to be aware of what are the do’s and don’ts – and the consequences. We need to start at that age group and slowly advance the level of readiness.
Media and entertainment are great avenues for popularizing cybersecurity education, whether that is through movies, television series, or even Broadway shows. People like movie producers and scriptwriters can always find ways to instill cybersecurity hygiene and cybersecurity discipline in the audience.
Cybersecurity training exists today, but we need to go beyond that. Training needs to be customized, personalized, continuous, and it should be interactive and gamified. We need to incorporate continuous assessments in our training to better understand how effective the training is in enhancing people’s level of cybersecurity readiness.
Organization-wide Accountability in Governance is More Important Than Ever
There is a lot of guidance and tools out there to help organizations monitor threats. But here’s the problem: Not all organizations do a great job of properly logging, reviewing, and acting on the intelligence received. That’s where having robust processes and established governance mechanisms can make a difference.
The most critical success factors in cybersecurity governance are dependent on the level of commitment from the leadership team. As mentioned earlier, cybersecurity readiness is everyone’s business, it’s not just a technical issue.
I believe there needs to be an organization-wide effort to create and sustain a “We are in it together” culture in governance. To be able to build that culture and sustain it, organizations need to factor in joint ownership and accountability.
It’s not enough to expect the Chief Information Security Officer (CISO) to take ownership of all that is cyber in the organization. Every department must take responsibility and get involved.
The CISO Role Must Be Collaborative
If you hire a CISO, you should enable them to be successful. To do that, it is important to make the CISO function as collaborative as possible. Ensure that the CISO has direct reporting opportunities, whether that is at the level of the CEO, President’s level, or an external group. The CISO should not operate in a silo.
We need to be proactive and substantive, and we – senior leadership – must be genuine about our desire to shore up our defenses. They are going to be the ones who hold the key to creating a formalized roadmap that will drive the security culture in the organization.
Development and Security Alignment
It’s not uncommon to receive pushback from senior leadership or top management about the need to do more cybersecurity training because they would rather devote resources to prioritize the development of a product or service.
The development team is incentivized to get the product out as quickly as possible whereas the security team leads quality control, making sure that the product is secure before it goes out.
The development team often sees the security team as an impediment to their goals, but their goals need to be aligned. They should be working together in cohesion as one team. To do that, management needs to communicate this approach, recognize that they will support this approach, and provide the necessary budget.
For more on this topic, read: Build Strong Relationships Between Development and Application Security Teams to Find and Fix Vulnerabilities Faster
Cybersecurity Professionals Must Take on New Challenges
There is an ever-growing concern about the catastrophic consequences of ignoring or being unprepared for cyber threats. To raise the overall level of cybersecurity readiness, we’ll need to incorporate holistic training in our cybersecurity curriculum.
The holistic approach will equip teams with both the business and technical acumen to handle the business critical vulnerabilities of the company. These skills will enable them seamlessly to transition from a technical position to a managerial position, and eventually the CISO of the organization.
Failure is not a bad thing. In fact, I think it’s very important to fail. You fail when you’re trying to go beyond suggested specifications or when you’re trying to create something new. It’s an important mindset and skill to have because failure is one of the many features that define cybersecurity innovation.
If people are scared to try something new, they would stop innovating. Can you imagine in the world of cybersecurity, when hackers are coming up with something new every couple of hours, what happens to the cybersecurity defense teams if they don’t keep up? The importance of stimulating and supporting innovation is key.
Cybersecurity deserves the same level of attention as the rest of the business. After all, security is everyone’s business. We are all part of the solution, and we can all fall victim to a cyberattack. So, let’s do something about it. Making cybersecurity more approachable, incorporating organizational-wide accountability, and encouraging innovation are all great areas to begin. From the CISO to the new intern, every employee plays a part in your organization’s cybersecurity readiness.
*This blog was co-written by Kia Lor, NetSPI Content and Social Media Specialist, based on the Agent of Influence podcast episode featuring Dave Chatterjee.