People are an organization’s biggest asset. Our brains process information and store data differently than computers. We have the ability to empathize and use creativity in the workplace. Just as we bring a unique benefit to the workforce, people also create opportunities for “bad actors” to exploit. People have contributed to a large percentage of documented data breaches in recent years. The blowback from these events cost their companies millions, if not billions, of dollars. Negative factors aside, people are still vital to the success of any cybersecurity program. In order succeed, companies must make consistent efforts to train their employees while implementing new technologies to ensure their company is secure from cyber threats.
Training the People
As I mentioned above, people are an organization’s strongest asset. With the proper training, people can easily assist technology with protecting data and identifying cyber vulnerabilities. As a Chief Information Security Officer, I would place more emphasis on training my team rather than purchasing new security technology for my company. Seventy percent of my budget would be spent on training
personnel (Cydef, 2021). This training would be broken into smaller sections and would occur quarterly. It is common to see an annual cyber awareness training but I would rather see smaller, more frequent training. I would also make recent cyber threats or attacks available to my personnel. I think understanding the frequency at which these events occur would raise awareness. To conclude each quarterly training, each employee would take a brief assessment of basic cyber hygiene. They must obtain a specific score to receive credit for their training. Another cost-effective strategy is to mandate employees perform regular backups (Cydef, 2021). This strategy significantly reduces downtime should a cyber-attack occur and allows continued operation. In addition, the cost of training can be spread over time whereas purchasing new technology is a large “up-front” cost. People cannot carry the entire load when it comes to cybersecurity. We need to work in conjunction with quality cybersecurity tools to reduce a company’s overall cyber security risk.
New Technology for Cyber Security
Technology is normally where people focus when it comes to cybersecurity. With advances in artificial intelligence and machine learning, some roles historically staffed by people are being filled by software. The cost for said technology can be extremely expensive to purchase and maintain. I would allocate only thirty percent of my budget towards technology. This money would go to licensing and maintaining the software in place. In most cases, this cutting-edge software simply “makes executives feel safe” (Disparte and Furlow, 2017). Technology is meant to be a tool for our people to utilize when combating cyber security threats. Extremely advanced technology can also breed complacency in the workplace. It instills a false sense of security. As Disparte and Furlow write, “It’s better to assume your defenses will be breached and to train your people in what to do when that happens.”
Conclusion
The human factor is crucial in cybersecurity. People can be the most valuable asset or the largest vulnerability. Investment in people is money well spent compared to buying the next generation anti-virus software. We must remember it takes both qualified and well-trained people, using quality technology, to combat the ever present cyber threat. “Artificial intelligence, machine learning, and self-teaching algorithms may represent the latest trends in hot IT investments, but technology exists for and is utilized by people” (Disparte and Furlow, 2017).
References
Disparte, Dante and Furlow, Chris. 2017, May 16. The Best Cybersecurity Investment You Can Make Is Better Training.
Retrieved from: https://hbr.org/2017/05/the-best-cybersecurity-investment-you-can-make-is-better-training
CYDEF. 2021, May 19. The Human Factor: The Hidden Problem of Cybersecurity.
Retrieved from: https://cydef.ca/blog/the-human-factor-the-hidden-problem-of-cybersecurity/