Irony can be a
cruel teacher.In 2017, an admin
atDeloitte disabled multi-factor authentication on their
own account, opening a path to a major breach; quite an embarrassment for a Big
Four cybersecurity consultancy. Then, there’s the BAE Systemssurvey of senior managers in which 40 percent confessed
they didn’t really understand their own cybersecurity protocols. Any wonder why
C-level executives are prime targets of cybercriminals?Yes, the single
greatest asset of most companies, its people, can be its greatest weakness,
too. And as cybersecurity pros know, we’re at a particularly vulnerable point
in history.
We’ve all heard
thepredictions of 3.5 million unfilled jobs in cybersecurity by
2021. It’s unsettling, but worse is the lack of support for developing skilled
and qualified personnel, as well as the continuing education necessary for
keeping dream employees from becoming security nightmares.While massive
investments continue to be made in infosec products and services – projected by
Gartner to hit$124 billion in 2019 – cybersecurity’s people problem can
actually be mitigated for far less money. From the boardroom to IT labs, in
cubicles and in front of job candidates, a focus on promoting a learning
culture that reaches all levels provides a great return on investment.Best of all,
reducing cyber incidents through education and training is achievable and will
enable your organization to avoid the devastating slipups caused by
unsophisticated attacks as well as the more sophisticated ones, both
particularly important considering the high profile publicity around damaging
data breaches and attacks. That said, the following can help CISOs and IT
leaders cultivate the right security environment in their organizations.Getting support, setting a toneCreating a
learning culture starts at the top. That means CISOs must have the full buy-in
of the C-suite and board of directors, both financially and as a company-wide
mandate.Last year a
Ponemon Institutestudy identified more than 20 factors that decrease or
increase the financial toll of a data breach. The third most effective method -
bested only by encryption and an incident response team - is training. Yet,according to ESG analysts, nearly two-thirds of organizations aren’t
providing the training needed to keep up with business and IT risks.With this in
mind, the benefits of education need to be communicated to decision-makers and
funds must be earmarked for training initiatives and tools. Once they’re aware
of the extent of cyberattacks and the potential impact on your business, their
accountability has risen and you’re halfway there.Communicating in
their language will close the gap. That means tying a stronger security posture
through training to the bottom line, including messaging that covers such
things as decreased regulatory exposure, increased uptime and productivity,
reduced IT costs, and improved customer retention. Additionally, support these
benefits with reporting they’ll understand and data that provide financial
justification. Further, a CISO
should have the green light to set the tone that security is a priority and
active participation is required by everyone throughout the company. And as the
security evangelist, all related communications should come from the CISO’s
office.Be the hub of
activity and generate awareness with regular internal communications. For
instance, has there been an attack in the news that easily could have been
prevented? Is there a new report on the cost of breaches?These are
teachable moments – pass along the information in brief and put it into an
educational context.Teach them and reach themA report by
infosec company Shred-it, notedemployee negligence continues to be the biggest cyber risk to
business, making education and cyber awareness essential for all employees. IT
teams will need to lead organizations in cyber preparedness and ensure all
employees are knowledgeable and understand best security practices. Their deep
level of understanding and knowledge of the security issues from an awareness
and technical aspect is essential to combat the inevitable breach. Nothing
sticks like a hands-on experience, and luckily virtual IT labs provides this
type of solution. With virtual IT labs, you enable IT teams to practice
required defensive tasks and techniques by experiencing an attack in a safe,
realistic environment.Choosing the right hands-on training solution, however, is
critical to achieving success. A good cloud-based virtual IT labs solution can
scale to accommodate any size group and future company growth, while
eliminating costs such as instructor and learner travel and labor-intensive
deployment.The solution also needs to spin up realistic, hands-on
training environments quickly and support multiple learning scenarios. For
example, it should support self-paced modules, which allow employees to
complete training when and where it’s most convenient as well as real-time
instructor-led trainings, which are useful for dealing with complex issues and
new threats. Your virtual IT labs should support both scenarios.Supporting ITWhen it comes to
helping IT teams, there are specific features you’ll want to have in your
virtual IT lab that can increase the effectiveness of complex trainings. For
instance, enterprises have increasingly been turning to multi-step classes, in
which instructors lead students between environments. Being able to easily move
from level to level logically, and without interruption, increases
comprehension, but it also avoids the overhead and bureaucracy involved in
creating and conducting multiple classes. Another popular
feature is the ability for instructors to view what participants are doing in
real-time, and barge in and help them when necessary. Immediate monitoring
enables an instructor to recognize when students need help.Furthermore,
consider allowing your IT employees to participate in technical certification
programs, which are often carried out via a training lab solution, giving them
the opportunity to learn best practices and increase their knowledge retention
by learning by doing. This shows an employee you’re invested in their career
development, helping to retain talent, increase staff motivation and deepen the
skill level on your IT bench.Learning to growEnterprises will
continue to grapple with cybersecurity issues and a talent shortage for the
foreseeable future. However, with initiatives that educate and create a
learning culture, they can reduce risks across the board and increase
capabilities in key areas.It’s a process
that needs to begin the moment an employee begins. Those enterprises that fully
grasp the importance of such education – and invest in the tools needed to
provide it - will be a better position to confront the security challenges of
today and tomorrow.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
