As we’ve heard many times, people are the weakest link in the security chain—basically, “What we have here is failure to communicate.”
That line from Cool Hand Luke sums up the challenge we have in the information security field. We all need to think differently on how to have business success with the constant threat of attack (or as Luke would say, you’ve got to “get your mind right”). That includes users, partners, executive management, and board members. Raising the collective security IQ of the workforce can be one of the most cost-effective, proactive security controls you can implement.
The SANS Securing the Human: Security Awareness Report had three key findings:
- Support is essential: It is clear that security awareness programs will continue to fail until they get the same emphasis and support as technical controls. To address this, we have to better educate senior leadership that cybersecurity is far more than just bits and bytes; it also includes the human element. “An expansion of security awareness and accountability throughout the organization is required. Casual attempts at security awareness and education only go so far.” (ISC)2 Global Information Security Workforce Study.
- Soft skills are lacking: The majority of those in charge of security awareness programs have highly technical backgrounds and lack the necessary communication or human behavior skills.
- Security awareness is still in its infancy: Majority of programs surveyed by SANS were immature. The report notes that we are “still in the beginning stages of creating secure cultures. To effectively change behavior regarding information security, employees and executives must feel a sense of urgency and understand not only that they are targets, but also that their actions play a key role in securing the organization.
So what have we learned? Effective organizations follow these practices:
1. Build an engaged, security-aware workforce
General security awareness activities (newsletters, a security awareness month, etc.) are important to remind the workforce of security best practices and of imminent threats. Testing users for their ability to avoid phishing scams will help reduce the threat of this common attack vector to the enterprise. Role-based security training programs are essential as well. For example, the HPE Cyber Risk report found that “…most vulnerabilities stem from a relatively small number of common, well-understood software programming errors.” Developers need training on software security best practices to effectively build more secure applications. Provide workforce incentives (e.g., spot bonuses, reward points) to put a spotlight on examples of security awareness behaviors you want to see. Likewise, it’s necessary to penalize those who place your organization at risk.
2. Develop clear policies and procedures that prioritize the protection of data and IT assets
Policies and procedures are always important, but they are essential for information security. You need to create and publish your policies to gain consensus on how you will handle specific security issues, including policy exceptions. Policy rules need to be clear, simple, understandable, and achievable by the workforce.
3. Have the support of executive leadership
Translate information security issues into terms of risk—that’s the language upper management understands. Make it personal and show how they’ll be impacted. Stage realistic security incident exercises that bring in other stakeholders such as outside counsel, communications, and solution providers. The annual renewal of cybersecurity insurance can also drive a useful discussion.
4. Work together and respond to security incidents collaboratively
Practice makes perfect, and you should exercise the incident response team on a regular basis to ensure that roles are understood and they aren’t learning on the job during an incident. The incident response plan needs to be accessible to all parties (e.g., on a mobile app). Don’t forget to communicate with employees, key business partners, and customers in a timely manner post-incident.
Obtain critical intelligence by sharing information externally with trusted partners and government agencies. Holistic threat intelligence is not a single-player sport—we need to collaborate just as our adversaries are doing. US government agencies such as the FBI and DHS want to partner with private industry in dealing with the cybersecurity threats (e.g., InfraGard and Information Sharing and Analysis Organizations, or ISAOs). While there are concerns with sharing incident and threat information with the government, as reflected in this ICIT brief, sharing IoC data with others may help them, and you, avoid an incident. You can also leverage commercial platforms to establish your own trusted communities to share threat intelligence data.
Buckle up: Learning from the automobile industry
A cultural mind shift on cybersecurity is needed similar to the one that had to take place for automobile safety. It took decades to understand the risks, pass appropriate legislation, and then change human behaviors to reduce risk factors and associated injuries. I still recall being a kid in the '60s without a seat belt in the back of my family’s station wagon—something I certainly wouldn’t allow today with my kids (I wouldn’t own a station wagon, either!) Real change started when Ralph Nader, an early advocate for auto safety, wrote a book and spoke to Congress about auto safety in terms the general public and legislators could understand.
With regards to Detroit engineers, Nader said they had a “…general unwillingness to focus on road-safety improvements for fear of alienating the buyer or making cars too expensive.” Sound familiar? Once regulations were imposed, auto companies complied and there were massive advertising campaigns to convince the public to buckle up. Efforts to enhance auto safety continue to this day.
Significant security incidents can raise security awareness and spawn some remediation actions. However, a reactive approach won’t change the underlying mindset or behavior of the workforce. What's required is a concerted effort to change how we can convert our workforce into an effective human firewall.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.