8 Steps to Better Security. Kim Crawley
probably detect a pattern here. Whether information is communicated over the phone or through your computer networks, your people must remember to be cautious about who they grant access to, and to what those people have access. There are lots of different lessons you must frequently teach your workers, but they're all extensions of that theme. That's what security awareness is all about, the bedrock of your security culture.
Helen Patton teaches information security at Ohio State University. She shared some security awareness training tips with me:
Awareness training should be broader than just the company's data, with the theory that they will more likely apply security skills to stuff they care about first (family, friends) and then bring those habits to work too.
Awareness training should be about building advocates, not just partners. Reward them for good security behaviors—visibly, loudly. Don't punish for bad behaviors—naming and shaming just breeds anti-security workarounds.
So, those are the ideas you must encourage your people to remember. But how can you motivate them to be engaged? Well, as much as my love of cybersecurity knowledge drives my career, money is one of my main motivations. I have no interest in becoming super wealthy, but I need money to pay my bills and buy food, video games, and Demonia boots. I'm not unusual, except perhaps in my taste for footwear. People do well in their jobs because they want and need money, a necessity in our market economy. Security Journey CEO Chris Romeo also sees money as a useful motivator to get your employees to do good things for cybersecurity:
When someone goes through the mandatory security awareness program and completes it successfully, give them a high-five or something more substantial. A simple cash reward of $100 is a huge motivator for people and will cause them to remember the security lesson that provided the money.
I discuss how to build a security team in step 2. But yeah, dangle a monetary carrot in front of your workers! It won't hurt to give that a try. And as Romeo implies, $100 is much cheaper than a data breach!
Here's some more advice for fostering a strong security culture: make security awareness and training fun. In my writing, I convey my emotional and enthusiastic personality. I also get silly sometimes. I know that by writing that way, I can retain your interest and attention more effectively than if my writing was dry and boring, like in a lot of technical documentation and textbooks. If you find security concepts to be exciting and fascinating, you can express that attitude in how you conduct your security training and reminders.
It may help to quiz your employees about security in the style of a game show. Maybe you can search Randall Munroe's archive of xkcd web comics and find the perfect comic strip to complement a security concept you're teaching.
Be creative with how you present security knowledge and encourage good habits in a fun way. If you feel that your imagination is lacking, there's probably a creative thinker in your company who can help you with this.
Train your workers regularly, and give them frequent reminders of how they can work and interact with your computer systems in a more secure way. Now you're well on your way to fostering a strong security culture. But before we move onto step 2, there's one more thing I'd like you to keep in mind.
Security Leaders on Security Culture
Security leaders believe strongly in the importance of security culture. I asked some of these leaders for their thoughts on how an organization can improve their security culture. Their ideas were varied, but they all included improving relationships. For example, Andrew Gish-Johnson at Carnegie Mellon University stressed visibility and a willingness to help. He said, “Figuring out how to do things right is tough. Finding people to help is tough. If the organization doesn't know who to talk to or finds you're not helpful, they're avoiding you as much as possible.” But if, as the CISO, you can make sure the rest of the company knows who you are and what your role is, you can help improve your security culture.
Nav Bassi, the CISO at the University of Victoria, stressed “awareness and education,” while my friend Larry, a good cybersecurity leader but a very private man, said that “gamification (making educational material like a video game)” can help ensure employees understand cybersecurity well enough that they can maintain the security culture.
What Makes a Good CISO?
Not all organizations have chief information security officers. For the most part, they're like chief technical officers, but they're focused on cybersecurity. The nature of this executive role bridges the gap between nontechnical business leaders (“the suits”) and the IT department (“the nerds”).
Sometimes a company will outsource functions of the CISO role to a managed service provider or some other sort of third party. Either way, if your organization has a CISO, they're the top of the cybersecurity hierarchy. A CISO's job is to lead an organization's security team and to work with other executives to make sure the organization meets its cybersecurity goals. If a company gets hit by a major cyberattack that costs them millions of dollars, their CISO will be very stressed out.
I asked some security leaders what makes an effective CISO. In a nutshell, CISOs need to be able to work well with people. It helps to understand cybersecurity and information technology in general. But people skills are paramount in the CISO role. You need to be able to explain to other executives, such as the chief financial officer, why money should be allocated for a security budget. You need to be able to explain why spending $500,000 on cybersecurity can save the company $5 million. Further, you must also be able to lead your security team, including the people in your IT department.
Andreas Bogk, a principal security architect, also believes the CISO needs to be able to remain calm in a crisis. Nav Bassi thinks curiosity and resilience are important traits in a CISO. Randy Marchany, the CISO at Virginia Tech, believes in a strong team and thinks the CISO needs to be able to trust, defend, and cultivate the growth of the team. These characteristics all demonstrate the need for a CISO to be able to work well with other people.
The Biggest Mistakes Businesses Make When It Comes to Cybersecurity
I asked business cybersecurity leaders about the biggest mistakes organizations make when it comes to cybersecurity. Their answers included trying to solve a problem by buying off-the-shelf software, keeping investment in cybersecurity to a minimum, and believing that having employees who are compliant means that the company is secure. Mitch Parker, the CISO of Indiana University Health, put together his “top 11” mistakes:
Assuming that IT costs are sunk costs and that IT is capable of handling all issues with minimal effort or intervention.
Not doing or ignoring a risk assessment.
Not addressing or developing a risk management plan.
Not developing good internal processes to assess and address risks.
Under-resourcing information security initiatives either through lack of funding, team members, or both.
Assuming that cyber insurance is an appropriate risk transference mechanism. As of 2021, when this was written, the major cyber insurance carriers are becoming more stringent with who they insure. They are denying higher-risk customers policies due to ransomware payouts causing significant financial losses.
Leadership allowing their teams to bypass security controls and identified risks to facilitate the business, even if there is a high probability of a breach.
Assuming that security events will never happen to them for any number of imagined reasons.
Cutting security and IT costs out of projects to increase profitability on return-on-investment calculations.
Leadership not supporting security and information risk management as a required business function.
Overreliance on tools or services to address security needs based on inflated