A recent Osterman Research white paper highlighted the relationship between the amount of time employees spend in security awareness training and the role that they see themselves playing in the defense layers of the business. It went on to say that regardless of the training program, cyber accountability must come from the very top – the C-suite and board – or it will fail.
Companies must take these warnings seriously.
C-level managers are typically more concerned about the time it takes to deal with cyberattacks than the time it takes to offer their workforce successful security awareness training. It’s necessary for both employers and employees to look at the situation this way: if employees receive good security training at work, they can also better protect their own personal data at home. Furthermore, if they get into the habit of securing their own data, they will protect company and customer data when they return to the office. It’s a win-win situation for the entire organization.
Today’s security culture
The existing security culture at most businesses focuses on the use of company devices: what workers can and can't do via email and social media, which websites they are permitted to visit, and how long they can spend on non-work-related computer activity during work hours. Organizations that have been breached generally also offer detailed technical training; they will teach the staff about CIA (confidentiality, integrity, availability) – that’s good, but only the bare minimum of what employees really need.
Most regulatory standards like PCI, CCPA and GDPR require companies to train staff upon hire and annually about security risks, how to spot an incident, and how to use the systems. However, the culture of security really depends on what the senior management does to create that accountability.
Cyber accountability means that an organization can retrace every data transaction that takes place on their systems, so that if something goes wrong, they can report who entered or received access to the data and what they did with it.
The five stages of cyber accountability grief
Cyber accountability needs to come from the board and C-level executives, yet when we attempt to discuss the topic with them, we are often faced with what I call the five stages of cyber accountability grief:
Denial: “It’s not our problem! We are here to increase profits for shareholders, create employment, and add value.”
Anger: “Leave us alone! We’ve already hired a CSO and purchased a security training program. Go talk to our compliance people!”
Bargaining: “Okay, we see that our competitors are being hacked and then audited by regulators. We’ll hire a reputable firm to conduct an assessment that we can use as a roadmap.”
Depression: “UGH. I can’t believe we have to establish security processes, install technical solutions, and train our users. But alas, we must.”
Acceptance: “Actually, this isn’t rocket science. We can do this!”
The five pillars of cybersecurity
The Five Pillars of Security framework we developed has become well-known, easy-to-use, and lets companies determine the cyber-maturity level of the board and key decision makers. To determine the security level of any business, organization or government agency, companies must simply look at five common denominators that impact all of them: physical security; people security; data security; infrastructure security; and crisis management.
When questioning the C-suite about readiness for each of these security categories, instead of having them choose between "It's in place" or “It's not in place," give them options like “I am absolutely sure,” “I think so,” I don’t think so,” “I don’t know,” “I don’t care” and “It’s of no concern to our business.” If their answers are too often “I don’t know,” "I don't care" or "It's of no concern to our business," that should raise a red flag. Everyone must add value to security awareness and accept cyber accountability.
In short, involve every stakeholder across the five pillars to create a good security culture, and also offer security awareness training to all staff members.
Make training fun
Make sure that to highlight security on a regular basis. Two events every year are perfect for this: Global Security Awareness Month in October, when there are lots of events and training around the world; and Global Privacy Day on January 28th. But companies can also take advantage of other occasions that include teamwork, such as March’s Global Diversity Month, or March 8th, which on International Women’s Day. These all offer great opportunities to refresh employees on what company want to do and what a culture of cybersecurity means for the organization.
I also recommend making security awareness fun and memorable. Gamify the training or turn it into a team-building exercise. Create a fun quiz with a leaderboard and prizes offered for different teams. Maybe the top five winners would receive a small token prize from the company or a day's PTO.
Make regular security awareness training an important element of the organization’s security culture. Finally, think of cybersecurity as a journey, not a destination: let's make it a fun one.
Mathieu Gorge, founder and CEO, Vigitrust