5 WAYS TO CREATE A CYBERSECURITY-FOCUSED WORK CULTURE by EDI FELDMAN Chief Information Security Offi
The importance of privacy and security cannot be overstated in an age where so much of our business infrastructure relies on technology. Unfortunately, it’s also this reliance that makes our infrastructure the perfect target for malicious actors.
To combat and adapt to these threats, many companies, including Skillsoft and at least 16 US states, have appointed a chief information security officer (CISO) dedicated to minimizing technology risks for the organization.
A big part of the CISO's job is to encourage employees to be security-minded. I've found that providing positive security experiences help create a partnership mindset between security and staff. Because while security focuses on malware and malicious attacks, human error presents the most significant risks.
As a CISO, you must educate employees to guarantee the security of your organization. Ninety-four percent of organizations report that they've had an insider breach. The average cost of a data breach is $4.7 million, and 20% of breaches can be avoided by providing educational resources for employees.
Often, it's an employee that grants bad actors access to your organization's digital infrastructure; nearly 30% of employees fall victim to a phishing attack because of a lack of training, and 86% of companies had at least one employee try connecting to a phishing site.
Cybersecurity training is key to keeping your organization safe. I see cybersecurity training — for leaders, practitioners, and other staff — as an essential part of a broad security strategy. When staff knows what to look for and have a clear picture of what their security teams do, they can better protect themselves and the organization's data.
A solid cybersecurity culture thrives when employees are educated and enabled. Getting them enthusiastic about their personal cyber safety will help them understand why they should be vigilant regarding their employers' security.
Sometimes, however, training can fall short of expectations because the content is outdated, not engaging, doesn't meet them where they are, and doesn't allow them to train in the ways they prefer. You can work 24 hours a day and seven days a week to be secure, but if even one member of the company isn't adequately trained, you are open to risk.
Organizations should establish a broad data privacy strategy, including high information governance standards for themselves that meet or exceed regulations. Creating such a culture of compliance around cybersecurity will not only avoid the risk of regulatory sanctions, costly reparations, and incalculable reputational damage, but also reap competitive advantage in terms of consumer trust.
Data security is not simply an IT responsibility. In fact, among the greatest risks to privacy and information security are employee actions. While bad actors certainly exist, even well-meaning but uninformed employees can cause a breach by falling for a phishing scam, inadvertently downloading malware, or clicking on a malicious link. Therefore, any training should encompass both broad data privacy concepts as well as specific requirements and cyber threats.
HERE ARE FIVE WAYS TO PREPARE YOUR WORKFORCE FOR TODAY'S AND TOMORROW'S THREATS:
1. ADOPT A CULTURE OF REGULAR, PERSONALIZED TRAINING
Training significantly benefits individuals and their organizations. Training improves morale, fosters high-quality outcomes, and faster resolutions. However, the biggest inhibitor to security training is often employees' workload. If they have too much going on, asking them to make time for security training can lead to burnout or disengagement with the material.
But, if training is the key to warding off phishing attacks and bad actors, leadership must build in time to complete training correctly.
As a security leader, it's crucial to help reinforce the value of training and prove how effective it can be. We also see that when employees have a variety of ways to consume training, it allows them to engage better. If they prefer books, on-demand training, or instructor-led courses, it's essential to provide them with the modality that fits their preferences.
Our annual Lean Into Learning Report compiles findings from surveys and research, industry analysts, and Skillsoft customers to share the state of training and the importance of creating a culture of learning.
Something I'm excited to be working on at Skillsoft is creating more substantial alignment between our security teams and disciplines and our workforce. We plan to improve communication with monthly newsletters and other internal initiative and become more visible within the organization.
The goal is to be present and transparent. If we want their partnership in protecting the organization, we must keep them aware of our efforts and give them insight into our workflow. For us, it's a two-way street.
3. PAY CLOSE ATTENTION TO TRENDS IN YOUR ORGANIZATION
Take note of your attack surface regularly. The only way to successfully stave off threats is to be aware of all possible entry points. You must be able to message how you, your team, and every member of the organization affect and are affected by it. Make that information widely and readily available.
Not only must you develop contingency plans and protocols, but keep them updated. Refresh documentation regularly, make it accessible to the team and broader organization as appropriate. Doing so will help ensure you minimize attacks when — not if — they occur.
4. COLLABORATE WITH YOUR PARTNERS & CUSTOMERS
You can use the same strategy you used to transform your workforce to engage with your partners and customers more regularly. By sharing trends, strategies, and new developments as they happen, you're giving those who rely on you insight into how you're keeping them safe. Education and communication help create a cyber-aware community where we're all looking out for each other.
5. FOCUS ON THE RIGHT METRICS
My key takeaway for leadership, especially other CISOs, is to remain focused on being prepared. It's terrific if you're able to block 99% of attacks, but if you don't stay perpetually ready, that 1%will sneak through. Of course, scoring a five on your NIST assessment would be an outstanding achievement, but you must find balance and comfort in the level of risk you manage while working within the constraints of the organization. Having plans to combat attacks is ultimately a better use of your organization's resources.
If you include your workforce and remain transparent, you will continue to have security allies throughout the organization.
Skillsoft continues to see security training rise in importance for organizations across industries. Since last year, security training consumption rose nearly 60%, according to user data in Percipio.
From security awareness to advanced skills for practitioners, Skillsoft offers professionals a blended approach to build critical skills to protect organizations from bad actors, phishing schemes or simply misconfigurations.