There are many challenges when it comes to being a high-level executive in a company. As the Chief Information Security Officer, it is imperative to recognize that training and education are critical when protecting information systems, and recognizing humans are at the center of it all.
Cybersecurity is Human Behavior
The term “cybersecurity” is often referred to and thought of as technical or an addition to computer science. While technical solutions are the core of cybersecurity, the human element cannot be ignored. It is in fact that 70-80% of the total cost attributable to cyber-attacks are a result of human error (Ideas42, (n.d.). What does this mean? It means software engineers unintentionally developing code that may compromise the software security, IT professionals not setting up access control properly, an employee’s lack of awareness, or even CEOs who don’t make cybersecurity a key risk area. Employees are a company’s greatest vulnerability and understanding typical human behavior is vital to identifying anomalies and preventing cyberattacks (Columbia Southern University, 2021).
“Only amateurs attack machines; professionals target people” – Bruce Schneier (2000), Cryptographer.
As The CISO…
My top priority would be answering the question “are we safe?” with a confident yes in return. Facing challenges such as an (unimportant) limited budget, I would support this by focusing less on building a “bigger/taller wall”, and more on educating the employees and users. By reviewing current policies, we could alter and adjust them to better assist with balancing training and new technology to foster a more prominent culture of cybersecurity awareness. The right combination of education that leads to changed behavior and technology that helps protect against cyberattacks is the goal. We could focus the budget on cyber technology, however, cybercrime is not only continuing but increasing so we must keep up. Security surveys commonly reveal the more directly user-facing aspects such as policy, training, and education are prone to receiving significantly less attention than technical controls such as firewalls, antivirus, and intrusion detection (Furnell & Clarke, 2012).
Incident response plays an important role in maintaining this balance. Why did this happen and how can we prevent this from happening again are conversations that need to be had with every incident response to help mitigate compromises which will inevitably be kind to the budget.
The Great Balancing Act
Implementing strong and safe security policies is crucial and must include training all users of the systems to some degree. This can be done at multiple levels and interventions. Onboarding orientation is the perfect opportunity to ensure that all employees are educated and made aware of policy and procedure. It shouldn’t stop there. Training should be conducted on a regular/semi-regular basis, either annually or semi-annually. Roy Zur, founder and CEO of ThriveDX SaaS, talks about how he has seen firsthand how effective interactive lab environments can be in adequately training employees (Zur, 2022). Every day employees do not need to be cybersecurity experts, but aware of key terms and the most common type of attacks that could significantly affect the security of the organization. This way one can focus less on investing in physical technology and allot those funds to educating and training employees.
Conclusion
By recognizing that cybersecurity is a result of human behaviors and decisions, we can better allocate resources to educating existing employees versus technology purchases. This will ultimately make an organization more secure. This is not to say we must solely rely on the employees. It is important that we must be cautious with the funds and support them with the proper technology and cybersecurity professionals. The strongest security networks are only as good as the human beings behind them.
References
Columbia Southern University. (2021, February 5). How Human Behavior Affects Cybersecurity. https://www.columbiasouthern.edu/blog/blog-articles/2021/february/human-aspects-of-cyber-security/
Furnell, S., & Clarke, N. (2012). Power to the people? The evolving recognition of human aspects of security. Computers & Security, 31(8), 983-988. https://doi.org/10.1016/j.cose.2012.08.004
Ideas42. (n.d.). Human Behavior in Cybersecurity. Retrieved November 21, 2022, from https://www.ideas42.org/project/human-behavior-cybersecurity/
Schneier, B. (2000, October 15). Crypto-Gram. Schneier on Security. https://www.schneier.com/crypto-gram/archives/2000/1015.html#1
Zur, R. (2022, February 18). Optimizing Cybersecurity Awareness Training With Active Learning. Forbes. https://www.forbes.com/sites/forbesbusinesscouncil/2022/02/18/optimizing-cybersecurity-awareness-training-with-active-learning/?sh=af3159e1a3a7