Every year in October we remind our employees that it is time to think about cybersecurity. The cybersecurity awareness campaign has often become an afterthought for the security team and the employees are even less excited. We run the same or a slightly updated training and hang up some new posters in the break room. You might email out a slide presentation and ask everyone to read it and respond “yes I read it”. The annual requirement to check the block on security awareness has lost the value and effect we hope to achieve. Even blending the concept of training and awareness is to some degree misplaced effort. Do we want to teach our staff how to be secure computer users, or do we want them to understand the threats our organization faces and how your team works to defeat them? Those are two very different things and I would like to encourage CISOs, this October, to choose the latter.
By Dick Wilkinson, Chief Technology Officer, New Mexico Judicial Information Division
Security efforts often go unnoticed. The staff and the work they do is a mystery to employees outside of the IT department and even many IT staff are not focused on the security effort. The security team is busy and they are always either improving your defenses or thwarting the next probe or attack. They may not be very engaged with the rest of the organization and don’t get much credit for the hard work they do. The security professionals work behind the scenes and know that their work may be a secret to control sensitive information about your own weaknesses or recent incident responses. This is for a good reason, we don’t want to advertise everything our security team does. The more you talk about the real-world threats and how you respond, the more information you give away about how you defend your system and that could lead to a compromise in the future. I challenge you to place that extreme secrecy aside and let some people peek behind the security curtain just a little bit.
A New Approach to Awareness
This October, take a different approach to cybersecurity awareness, internalize the awareness campaign. Instead of spending all of your time giving training and news snippets that don’t relate to your staff, take the time to show people what your team does and just how well they do it. The following are a few suggestions on how to showcase your team and their efforts while also making your general staff smarter about the threats you face.
Present awards: If you have a big enough security team to highlight some exceptional efforts or individual growth, make October the time you recognize those people. If you can put together a presentation to showcase these people, even better, invite the entire company. Putting your security employees themselves in the spotlight helps people see that they are a part of the larger team and the security professionals are just as motivated as they are to grow and achieve new professional success. Recognize things like new degrees or certifications earned in the last year. Recognize people that were promoted in the last year and describe what that new level of responsibility means. The organization seeing your team and the personal effort they bring to the table will make them more approachable and integrated with the rest of the company. This makes the staff aware that your team is focused on growth.
Highlight your department’s growth or transformation: Moving from the individual member to the team as a whole; this is the chance to show off your own managerial prowess. If the security team had a long project to stand up a totally new SOC tool set. Tell everyone else just how tough that was and what that work means to the company. Describe how the new system detects danger and how your people act to stop it. If you keep statistics like phishing attempts prevented or IP scans detected, now is your chance to show those to a large audience, not just the board and C-Suite. Give the employees information that is concise and easy to digest, and it should have a wow factor. Any mid-size organization sees thousands of phishing attempts in a year and your team has to be always on guard against those threats. Let the employees know that security never stops, even when they go home. Showing the staff just how diligent your team is can raise awareness of the myriad of disciplines that fall under the label security.
Training: Last but not least, training is still going to get the time it deserves. Don’t email slides or buy a training package from a website. Use your team’s expertise to conduct face to face, or virtually live training. Let the SOC analyst show a group of employees what they do when they detect a threat with real tools that they use. People think IT is magic and hackers are wizards, show them the skills you have hired and cultivated to combat that wizardry. You can really wow your company with even some basic show and tell. This will give your security employees a chance to be proud of their work and the general staff will hopefully internalize that value and try to become more connected as part of the security mission. You can take your training objectives and weave them into the show and tell or presentations from your security team. Make a comprehensive plan and then let your team decide what they feel comfortable showcasing. Coach your security team and help them realize this is not bragging about how good we are, this is teaching everyone around us how important security should be in everything they do.
Take this October to change the meaning of awareness, we all know bad actors want to harm our company. How much do we know about our coworkers and what they do to protect us? This is your chance as the CISO to answer that question and gain benefits every step of the way. You can recognize and motivate your security professionals and educate the workforce in new and interesting ways at the same time.
About the Author
Dick Wilkinson is the Chief Technology Officer on staff with the Supreme Court of New Mexico. He is a recently retired Army Warrant Officer with 20 years of experience in the intelligence and cybersecurity field. He has led diverse technical missions ranging from satellite operations, combat field digital forensics, enterprise cybersecurity as well as cyber research for the Secretary of Defense.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for them.