Human Factors in Cybersecurity with Limited Funding

Posted by jcalh006 on

Training should have more funds allocated than additional cybersecurity technology in
regards to limited funding. As a Chief Information Security Officer, it is my responsibility to
determine the reasoning behind the choice of enhancing employee training over increasing the
technology to protect systems. While both are important, training is more vital, in my opinion,
due to the everchanging human factors that exist in the realm of cybersecurity.
The budget for developing an effective cybersecurity program against threats is limited,
but allocating more than half of the funds to training is the direction I would take as Chief
Information Security Officer (CISO). My reasoning behind this is due to the complexities of
humans by nature. The odds of a cyber attack occurring through human interaction is
significantly higher than systems failing when they are operating properly or as designed. For
example, if I were an untrained or poorly trained individual at my company, and I received an
email and didn’t understand the indicators that it is probably a phishing attempt, then I would
likely click on the link in the body of text assuming it weren’t trying to harm my systems. Even
with annual training or required training for access to those systems, humans are forgetful,
innocent, and simple minded. Having more funds allocated to cybersecurity training that isn’t
reserved for those instances is important to safeguard systems. With the various methods of
attacks occurring that require a person to click a link or mistype a code, the humans and a lack of training are the common denominator. As new cyber threats arise and advance, “countering
cyber threats requires a focus on people and behaviors, not just technology” (NIST).
In conclusion, as Chief Information Security Officer, I would allocate more funds
directed toward training than more cybersecurity technology. Humans are complicated creatures
and are a consistent fault in a company’s security. Increasing cyber technology is important as
well, but proper training to use systems and protect them is vital with limited funding.

Leave a Reply

Your email address will not be published. Required fields are marked *