The month of October is commemorated as National Cyber Security Awareness Month in the U.S. While it has been a norm to mark-up a day of the year for significant causes and furthering solutions, it is rare for an entire month to be commemorated for a cause. In fact, Cybersecurity Awareness is the only cause, that I am aware of, for which an entire month has been marked-up. More than anything, this is an indicator of both the significance as well as the urgency in accomplishing this monumental task. Delays or failure to reach desired levels of consistent cybersecurity awareness could have a dramatic impact on individuals, societies, as well as entire nations. The recent incident in Germany where a hospital could not care for patients resulting in death as well as inadequate medical care to the community is a stark reminder of potential consequences.
By Ravi Ivaturi, Sr. Vice President – Digital Security Architecture at Citi
It is clear that the time to act is now! For Cybersecurity leaders and professionals, the month of October and the rest of the quarter is an excellent opportunity to further the awareness and initiate conversations. These conversations should be beyond a simple ‘FYI-note’; rather these should be messages with a call for action. The requested action(s) must be tailored to the target audience and their impact measurable. Let’s look at some common stakeholders and awareness topics that could accrue immediate benefits:
Individual Customers and Employees
This segment of stakeholders is the most targeted by attackers and yet, has been least included in the cybersecurity solution-ing. Looking at the Verizon Data Breach Investigation Report (DBIR) makes it immediately evident that Phishing and Credential Validation are the top-two attacks in 2019. In fact, these two attacks have been in the top three list consistently over the past five years. Both these attacks rely on user behavior and their inadequate cybersecurity awareness levels. Of course, there are technology-based controls to protect against these attacks, but their effectiveness has been limited. This implies a successful defense against two top threats and hinges on promoting individuals’ cybersecurity awareness. So, in your message to this segment, consider encouraging your employees and individual customers to:
- Change the password for their accounts on your applications, if they have used the same password elsewhere.
- Attend training on detecting potential phishing/vishing/smishing attacks; even better send along a brief video or an online interactive lesson.
Both these activities can be measured to determine engagement, follow-on actions, and an overall reduction in attack surface. Apart from enhancing the overall security posture of your business, this effort could help the business be seen as a responsible and trustworthy partner.
Businesses are becoming more and more technology-centric, so much so that they seem like technology companies. The technology teams are pivotal to building new capabilities as well as enabling operations. This makes the technology teams a key stakeholder to reach out to about cybersecurity awareness. And, what could we ask of this tech-savvy group?
The key message to this segment of stakeholders is to consider cybersecurity as a springboard for their professional growth. Be it a technologist in an operations role or in a development role, a solid understanding of cybersecurity requirements, identifying solutions, and influence outcomes will greatly help the individual stand out from the rest. More importantly, the individual would have demonstrated a grasp of the business expectations and change-leader – both capabilities are a must for taking on leading roles. Follow this message with a call for action to take up specific training courses or wholehearted support for security initiatives you need traction for.
This is perhaps the smallest segment by number and yet, it will be the most impactful in your endeavors. Leadership teams further the business goals and realize the set objectives. This essentially translates into the need to partner with growth-enablers. Cybersecurity has often been looked at as a growth-balancer, rather unduly so. Use the cybersecurity awareness month and the rest of the year to balance this narrative. One analogy I have seen to be effective is as follows:
Brakes on automobiles are often seen as devices meant to slow down the vehicle. Now, imagine driving a vehicle with no brakes at 60mph. Would you do that? In effect, brakes are tools that enable us to drive our vehicles at the speeds we do (with the confidence that we can slow down or apply the brakes anytime). Similarly, cybersecurity enables a business to accomplish rapid growth that can be sustained by technology.
Tie this analogy with your call-for-action. This could be initiatives you would like to see funded, projects you’d like to prioritize, changes to employee performance measurement to include cybersecurity as a parameter, or other tasks that give you a strategic edge. Another effective call-for-action would be to have the leaders speak on this topic with their teams. Culture flows top-down in every organization. When leaders highlight cybersecurity as a priority, it will only translate into greater traction for your initiatives.
To conclude, cybersecurity awareness is pivotal for building and maintaining a robust security program in an organization. Using every opportunity to promote awareness will help significantly in the successful execution of your cybersecurity strategy. To ensure your awareness activities are effective, tailor them to the target audience, and design the activities to be measurable.
About the Author
Ravi is a cybersecurity leader with deep expertise in building cybersecurity programs for emerging technologies. He enjoys authoring technology articles, engaging with cybersecurity startups, and above all, solving problems. In his current role, Ravi heads the Cloud Security Architecture function for Citi’s Consumer division, providing security leadership for financial products used by millions of individuals across 19 countries. He also serves on Citi’s apex Security Architecture Council, providing oversight to enterprise-wide security architecture. With over 15 years of cybersecurity experience in the Financial sector, Ravi brings together a well-rounded experience and thought leadership in emerging-technology risks, security assessments, compliance, and technology risk management. Ravi holds a master’s degree from New York University in Computer Science.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.