How Do We Influence Secure Behavior?
We all know that our employees need to be more security aware, but what are the methods to get them there? How can we make our employees more security conscious?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Steve Zalewski . Joining us is our sponsored guest Jack Chapman , vp, threat intelligence, Egress, a KnowBe4 company .
Setting an example from the top is key
This starts with training, but to actually influence behavior you need more than that. "People aren't influenced by being told what to do. They're more likely to copy good behaviors they see in others,” said Mike Van Orden of Emanate Security Inc. . Mike Wilkes of Wallarm: API Security Leader sees the need for this to come from the top leadership of the company on down, saying "You need to have a security mindset practiced by the senior leadership through the organization. Treat it as a 'whole of person' issue to improve their ability to detect malicious communications no matter their location."
Don’t just focus on cybersecurity at work, make it personal
"Educate them on keeping their personal accounts safe at home. It shows you care and will bleed over into their professional world," said Brett Deroche of Lockstep Technology Group . This can even go beyond training and extend into company benefits. "I would give identity theft protection as a corporate benefit. Make them more secure and the company becomes more secure by association," said ??Merry M. of DataGrail .
Annual training and punitive actions don’t meaningfully change behavior
Instead, continuous engagement shows the best results. "It comes down to sustained, motivated engagement. Prompt people with a super simple, hassle-free action focused on a behavior you're trying to change,” said Eliot Baker of Hoxhunt . Andrew Wilder of Washington University in St. Louis even suggested a model that everyone knows for that type of training, Clippy from Microsoft Word. Imagine a pop-up with “are you sure you want to enter your corporate credentials on this suspicious site?”
People will respond to cybersecurity training, but they will prioritize their jobs first
“If we want to make security ‘stick’, implement solutions that are as invisible as possible to employees," said John C. Underwood of Big 5 Sporting Goods . Cybersecurity won’t get buyin if all you do is punish them. "People need to not see you as someone who will make their life miserable," said Yashvier K. of Sendbird .?
Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.
And thanks to all our other contributors (witting and unwitting): Jeffrey Wheatman of Black Kite .
Huge thanks to our sponsor, Egress, a KnowBe4 company
Cyber Security Headlines - Week in Review?
Make sure you?register on YouTube?(insert updated link)?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series reporter Richard Stroffolino .?We do this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be ???? Gerald Auger, Ph.D. host of Simply Cyber .
领英推荐
Thanks to our Cyber Security Headlines sponsor,? Hyperproof
Connecting Discovery With Context
Sponsored content.
In cybersecurity, just knowing what assets an organization has isn't enough. That needs to be coupled with the context of how those assets relate back to the business. Curtis Simpson , CISO at Armis , discussed how this allows you to understand the risk those assets hold within the organization. This becomes especially critical as IT and OT systems have become intertwined.?
Understanding the risk posed by assets allows security leaders to quickly make the business case for taking action. This shifts the conversation from CISOs talking about securing endpoints and assets, and allow them to talk directly about how a security threat directly ties to core business functions. Adding context to asset discovery makes it easier to bring security considerations into the everyday language of business.?
Huge thanks to our sponsor, Armis
Jump in on these conversations
"Why do other cyber security professionals treat pentesting like the dark arts?"?(More here)
"T-Mobile discloses second data breach since the start of 2023"?(More here)
"What's the worst cybersecurity mistake you've seen someone make?"?(More here)
Thank you for supporting CISO Series and all our programming?
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark.
Resource Developer + SEO & SEM | Transforming lives through innovative training solutions
1 年I think the best way to influence secure behavior is to build staff understanding of why something is secure. Many staff - dependent on industry and other factors - do not hold an inherent knowledge of the importance of information they handle on a daily basis and the implications of the information in the wrong hands. While training requirements can be met on a business-level, if staff still do not comprehend why it's important, said training will not have the desired effect. Any learning someone undertakes needs to be valued and meaningful to them. Build your training context around your staff as individuals and then bridge it to the business values, information that is handled, and so on.
Thanks for having us on the podcast David ??
Director of Content Marketing
1 年Love the way you bring in the sentiment of the community into your article like this David Spark . Thanks for including me!
Thanks for the shoutout. Glad I could help in any way. Please let me know how I can contribute to your worthy efforts either witting or unwitting. ??