What keeps the CISO awake at night?
Part 1 – The biggest security threat to my organisation is our staff – what can I do?
Welcome to the first in a series of insights which will address the topics that keep Chief Information Security Officers, and their colleagues, awake at night. In our first insight, we look at how you can reduce the information security threat from your staff by creating a culture of security awareness in your organisation.
It is a long-standing headache for any security professional, that security awareness is reliant on the activity of individual human beings. But how do you engage your staff on this topic and win their cooperation when the subject matter is often dry and technical? The answer is to capture their imagination and make the security content relevant to them.
Obvious, but true and surprisingly rare.
So why aren’t your staff information security conscious?
The main point of interaction your staff probably have with information security is when they call the help desk because something has gone wrong. As a result, security is often viewed as relevant to users only when there is a problem. It is something that ‘gets in the way’ of their daily work. So straight away your staff are in a negative mindset over information security and may well think that it is someone else’s problem to deal with.
Maybe your organisations’ security business awareness model is to provide computer-based training (CBT) which describes hypothetical situations. If so, you are probably wasting your time. Your users will be clicking through all of the questions in the CBT and then trying to answer the multiple-choice questions and move on.
By showing your staff how their activities and actions can either thwart or enable attackers to create a security event for your organisation, you can begin to improve your organisations’ culture of security awareness. Here are three practical tips to really engage your staff on this topic.
- Make it real with Red team testing
There is a world of difference between a hypothetical threat of an external attacker being able to read all of your emails if your password is compromised, and a screenshot of the Chief Executive’s inbox, after it has been compromised by a professional ethical Hacker.
To bring security to life, it is necessary to answer the question of “how will your organisation be hacked”?
A red team test, whereby a team of expert penetration testers are paid to try to break into your organisation’s key systems, will get the attention of senior management. This is a relatively expensive way to engage the business, however, a £50K investment in a test, lasting a few weeks, inclusive of write-up, can provide sufficient material for business engagement training lasting at least one year. User awareness training can use examples of “this is how the attackers penetrated our defences” which brings the issue to life and makes it relevant, rather than relying on the hypothetical and unrelatable examples.
- Create an event around security awareness
The concept of a “Security awareness week”, in which users are given practical tips that are real for them both in their work and private lives, is a powerful tool to make security into an enabler, rather than a blocker. Low cost desk items such as wallet sized credit card protectors or security branded water bottles can also increase user goodwill towards the security function. Engagement meetings or ‘lunch and learns’ help the Security function to publicise the options available for users such as clicking the Phishing button, deploying a password safe (rather than the password spreadsheet you have on your desktop) or “when you should pull your cable out”. Giving users a list of three tangible changes to their activities, which will enable security and protect themselves as individuals is a powerful persuasion tool.
- Set the right tone
Tone at the top is fundamental. It goes without saying, that a Board-level owner should be identified with accountability for security. This includes responding to requests for information from regulators, but also for providing sponsorship to security change or remediation initiatives. If security as a topic is recognised as having board level sponsorship, then users will understand that their grumbles about how security is getting in the way of their activities and “it’s unlikely to happen to us” will not be tolerated in this environment. Critically, security and the IT function have the responsibility to jointly provide solutions which allow users to work with minimal friction while maintaining security. There is no point in publicising a policy which states users must not “send work home “to their personal emails, in an organisation without remote access capability or which does not provide laptops to travelling personnel.
These are just three of the potential methods that we have seen effectively used to enable a culture of security awareness. For security professionals to gain more traction with the business, they first need to become “translators” so that end users are engaged and motivated to make real change.
If you enjoyed this blog then why not read others in our ‘What keeps the CISO awake at night?’ series:
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice.