What is your organization’s approach to cybersecurity culture, behavior and awareness programs?
At the recent Forcepoint Exchange Strategy Summit virtual event we were pleased to welcome Dr. Jessica Barker, co-founder and CEO of Cygenta and Chair of ClubCISO, to speak with William Beer of HB Advisory on the topic. The conversation included commentary on human bias in cybersecurity. A topic close to our heart in Forcepoint X-Labs.
“People build, use and abuse technology”
William started the conversation citing a statistic from the UK Information Commissions Office – in 2018 88% of data breaches were linked to human behavior. William proposed that when we as security practitioners think of the people, process, technology framework the focus isn’t always so much on the people. So how do we change that?
Dr. Barker believes the answer lies with the individual who is leading the charge to embrace better and more accessible cybersecurity – the CISO. Success on building human-centric frameworks comes when CISOs engage with other functional leaders in a business, such as those in Legal and HR roles. The key is to bring employees into the solution, and be part of the solution.
How useful are phishing programs/simulations?
Dr. Barker suggested that raising awareness of cybersecurity risks and how employees should behave to mitigate risks should involve employees at all levels. Employees should, after all, understand why cybersecurity is important to them.
However, phishing programs, in and of themselves are not the silver bullet. Training and technology (security solutions) should not be in competition but instead used in a combination and layered approach. With efficacy rates of email security solutions stated as >99.0% it is inevitable that some threats will get through traditional defences.
The fundamentals of a good security awareness program
Dr. Barker underlined that a strong security awareness program should focus on your organization’s culture. It must be complementary, and not at odds with your culture. I have seen this myself when speaking to organizations around the globe – their organizational culture may be open and relaxed but their cybersecurity posture is restrictive and “locked down”.
Dr. Barker offered some tips on how to align the cultures by determining which behaviors represent your culture and then planning out how to raise awareness of those behaviors, and subsequently an awareness campaign to support. The performance of such an awareness campaign should be aligned with risk assessments and metrics to track success.
But what if a large enterprise has pockets of different cultures around the globe, pondered William. Dr. Barker offered that we as practitioners must seek feedback before pushing our messages. In essence we must listen to what the organisation is trying to achieve and work within those parameters, tailoring to suit the audience.
Measuring people metrics
Dr. Barker acknowledges that some in the business community say you can’t measure culture and the human aspect. She disagrees (as do Forcepoint X-Labs). By understanding the behaviors you wish to see change you can build metrics around those behaviors. Those behaviors might be how many watched an awareness training video, how many actioned the advice (for example, are now using a password manager), or how behavior is changed over time (for example, the employees are no longer clicking on obvious phishing links, or now use a sanctioned cloud application).
Dr. Barker offered other tips throughout the discussion, such as the benefit of supporting the cybersecurity of employees in their personal lives and not just while in the workplace, how to approach the human aspect of science such as from the fields of psychology and neuroscience (another topic that we focus on in Forcepoint X-Labs), and recommendations for reading material.
William wrapped up the conversation emphasising the key takeaways as being to recognise the importance of culture, metrics, and science.
So please do consider how your cybersecurity culture is supportive of and not at odds with your organizational culture, how you measure the performance of awareness campaigns, and how you may make data-driven arguments to support your programs.
Recordings and additional resources
- Llisten to the recording here.
- Other interviews and panels from the Forcepoint Exchange Strategy Summit are available here.
- Forcepoint’s Dr. Margaret Cunningham authored a paper “Thinking About Thinking: Exploring Bias in Cybersecurity with Insights from Cognitive Science” which can help understand why people behave as they do when faced with social engineering attacks and workplace incidents. Please see the relevant download link above to view the report.