Do you know who in the organisation is not behaving securely and why?
I have worked in security for the best part of two decades, most recently as the CISO of large financial organisations. In my time I have purchased and made use of a huge breadth of cybersecurity tools. Each one promised to drastically improve my company’s security posture. Some were useful, most were expensive, but no matter how many tools I had or how much money I spent, we still had our fair share of security incidents and breaches.
Many in the industry have the same experience, and it can be disheartening. Unfortunately, when something goes wrong CISOs – including myself at the time – are quick to point the finger at their users, whom they have spent significant amounts of time and money training against cyber threats. This sentiment really comes out of frustration as CISOs don’t have the tools to give them what they really need –complete visibility into the risk the workforce poses to the organisation. Who in the organisation is not behaving securely and why? How do people feel about security? What are their intentions? Who requires additional support? This can only be offered by human risk intelligence.
Beyond security awareness
When I was a CISO, I felt the same frustrations. No matter how much I invested in training programs, users still made costly mistakes. It was clear to me that security tools and training, as it exists today, are not enough to ensure an adequate level of security.
Considering that 90% of breaches are caused by human error year on year, you would think that the rest of the industry has cottoned onto this fact. I would like to stress that this astronomically high percentage isn’t the users’ fault. The broken standards of security, with patronising, time consuming, one size fits all security awareness training, is more to blame.
The problem is the false belief that simply giving users more generic training and funny videos will be enough to build a culture of security in the organisation and effectively manage human risk. Unfortunately, while most CISOs have realised that training is only the starting point, many are burying their heads in the sand. If they are honest, they don’t want more of the same. What they really need is accurate data on their employees, the risks they pose and the ability to deliver highly targeted training and improvement actions, giving people highly relevant, timely cybersecurity advice and support. At scale and in real time.
Human risk intelligence
In an ideal world, the CISO would do this by talking to users and getting to know each and every one of them. However, in organisations with thousands or even tens of thousands of employees, this is not practical. But such data is like gold dust to a security team as it can make a huge difference in how effective they are and in how they approach security for different groups and teams, across the organisation.
Gathering this data is possible, but it relies on having the tools that enable measuring and finding statistically significant correlations between attitudes and real security behaviours. This includes measuring people’s attitudes and perceptions, thoughts on training and whether it is effective, their sentiment towards security and whether it stops them from carrying out their day to day job, as well as finding out about security weaknesses in the organisation.
This subjective data can be coupled with objective, security behaviour, data. Combining these data sets allows CISOs to understand which individuals pose higher cybersecurity risk to the organisation and automatically determine the most appropriate improvement actions (e.g. guidance, nano-learning, nudges, reminders, validation questions, cybersecurity task simulations), to address the risk.
Know your employees
This is a vital next step in the development of human-centred security that works for the organisation and the employees, not against them. In truth, we cannot criticise users for skirting around security measures that block productivity, but many people in security do. Cybersecurity isn’t included in the job description of somebody working in a finance department, and yet we expect them to keep our organisations safe with tired slogans such as “Security is everyone’s responsibility!”.
For too long, the industry has given cyber-criminals the upper hand by continuously relying on broken, ineffective security awareness training models whilst lazily blaming users for breaches. Of course, there is a place for training, but it must be effective, and the journey cannot stop there.
You can’t truthfully improve your security posture if you don’t know your employees. To ensure safety, you need to automate getting to know them, their attitudes and behaviours and provide adequate advice and support. Otherwise they will simply ignore their training and get on with their job, even if it puts company security at risk.
About the Author
Flavius Plesu is the founder and CEO of OutThink. OutThink’s, ‘Information Security Awareness’ courseware has been approved by APMG using the NCSC Certified Training criteria for content in courses. OutThink's software continually assesses human risk, monitors users' behaviour and effectively delivers training.
