The Carrot and the Stick

This is the thirteenth in our series sharing thought pieces and the third from the CISO Desk Reference Guide: A Practical Guide for CISOs, Volume 2. In the following excerpt from Bill Bonney’s essay for Chapter 13, Bill explains how cybersecurity training, when done well, can have measurable impacts on reducing breaches. Please enjoy.

First, the carrot: one of the most important duties of a CISO is that of a change agent, especially when it comes to online cyber hygiene. The sad reality is that while Advanced Persistent Threats (APTs) and zero-day exploits get a lot of attention, most successful breaches are still initiated by relatively unsophisticated attacks. It’s a matter of economics. Why would a hacker spend a lot of money and time on an APT or burn a rare and powerful zero-day exploit when they can pay little or no money and get quick results using phishing or drive-by attacks?

It has become a cliché: “Your employees are your first line of defense.” Security professionals and standards writers agree, of course. NIST 800-53, ISO 27001, and PCI-DSS all devote portions of their standards to training and awareness. Also, attack post-mortem analysis and employee response testing show that companies with security training programs decrease successful attacks by 20-40%.[1]

And now the stick: while PCI-DSS is a standard, to be PCI certified, you need to pass a PCI-DSS audit. Additionally, the following regulations all require a security and awareness training program:

• HIPAA (healthcare)
• GLBA (banking)
• The Texas Health Privacy Law
• 201 CMR 17.01 (Massachusetts data privacy law)
• 23 NYCRR Part 500 (New York Cyber Security Requirements for the financial services industry)
• FISMA (Federal Information Security Management Act)
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

OK, so it’s a good idea to have a company-wide education program that focuses on cyber awareness and security training. But how do you do it, and what works? Don’t most people just nod their way through mandatory training? Well, yes, and the main reason, in my opinion, has less to do with it being tedious and overlong (though that doesn’t help) and more to do with the fact that it is a corporate training program that is often detached from every strategic goal the company might have. It’s often part of the onboarding package that includes workplace harassment training and anti-bribery training and the new-hire classic: “how to log onto your new expense reporting system in 20 easy steps.”

I am not suggesting that security training must be snappy and quick, or indistinguishable from sketch comedy. Best practice has advanced from the timed lessons that prohibit quick clicks and require a minimum think time per module to ensure the employee had ample time to absorb the material they aren’t reading. Best practice is now a series of short, to-the-point vignettes focused on key messages. And in many cases, this training is delivered automatically right after an issue has occurred. In other words, if I click an inappropriate site or click on a link in a phishing email, many of the systems are sending immediate training modules to the user for message reinforcement.

But more importantly, the cyber education and awareness program needs to align with your corporate mission and become part of your everyday engagement with the workforce. Cyber hygiene needs to be important, practiced, and taught by every executive, starting with the CEO. That means you need to get the members of the C-suite signed up and evangelizing before you can have an effective cyber-awareness training program.

To see how the CISO Desk Reference Guide, Volume 2 fits into your reading journey, reference our reader's guide on our LinkedIn Company page:

https://www.dhirubhai.net/feed/update/urn:li:activity:7216934015398813697/

[1] ?? Security Awareness Training Explosion, John P. Mello, Jr. (https://cybersecurityventures.com/security-awareness-training-report/)