With people arguably the weakest point in an organization’s cyber defences, security awareness training is a hot topic for CISOs.
But what’s the most effective security awareness strategy: The carrot or the stick?
At TMX Group. which runs the Toronto Stock Exchange and the TSX Venture Exchange, the answer is a subtle carrot.
“My overall goal is to make security personal,” CISO Bobby Singh told the RiskSec Toronto conference this week. “The intention is to get users to understand how to protect corporate data as they protect their financial data in their personal life.”
While the organization looks for security champions outside the IT department, does phishing simulations four times a year – having one-on-one meetings with offenders who repeatedly click on bad links in the tests – and occasional ‘lunch and learn’ sessions, the focus of awareness training has shifted.
“Instead of talking to users about protecting corporate data we’re talking about how to protect their financial data – what multifactor authentication looks like, how it should be done, how do you know what your kids are talking about on SnapChat … and we’re hoping that while doing the personal stuff the transition of behavior will come into the corporate side.”
But, he admitted, “at the end of the day some of the behaviour gets changed [only] when you have a risk/reward model attached to certain behaviours.”
Security training also has to strike a balance, he added: The CISO doesn’t want staff to be afraid of the Internet. “My role is to make them sufficient enough so that at the end of the day enough security knowledge exists that there’s not silly or stupid things happening.”
Fellow panellist Graham Westbrook, a cyber security analyst with Geisinger Health Systems, a chain of 12 hospitals, two research centers and 30,000 employees in New Jersey and Pennsylvania, said his institution is using gamification for training, creating a 10-minute online game staff can engage in on lunch breaks.
Geisinger encourages staff to see cyber security as part of the way they protect patients, like washing their hands. “When we can make the connection of caring for their patient [cyber is] one more part of what they already do, then it won’t’ seem like behaviour management.”
But he also said to be successful management has to create “true sense of urgency” about cyber security.
There’s no one answer to awareness training, Singh emphasized. Education has to go along with security basics in network design and defence in depth.
One audience member complained that at his organization the budget for security training is enough to meet its compliance obligation. If the company equates compliance with security it’s in trouble, replied Westbrook.
Infosec pros have to understand their firm’s culture, the create a ways to change it. That may include creating “a true sense of urgency” about cyber security, he added.
Finding data to persuade management is also important, said Singh, such as what it would cost the company to manage a breach. “Buy-in will only happen if there’s an urgency, if there’s an event or a culture shift,” he said. But he also said that not only do infosec pros have to get management to back an awareness program, employees have to support it as well.
“I feel like we like we’re in a transition phase where we have to take the lead in embedding security in multiple places, in our behaviour in our products,” Singh said, “And then I’m hoping for the folks coming down the pike it will not be as obvious for them. It will already be embedded in the practices, ….. and we won’t have to have this discussion, ‘Let’s embed security in something.’ It will just be part of the business or service we provide.”