Introduction

Educating your workforce about cybersecurity through an awareness program is a foundational requirement that all cybersecurity standards share. So why don’t we have a very well-educated workforce when it comes to cybersecurity? Perhaps too many organizations, when they recognize the need for a cybersecurity awareness program, treat it like a change management effort; roll it out just in time and then add it to the corporate training curriculum. We know that’s not effective.

Bill begins this chapter by recalling that there have been other large-scale societal changes that have required massive, sustained awareness programs. He outlines the commonalities between these programs and allows the reader to draw inferences that will help put their program into context and set it up for success.

Matt continues the discussion by showing how each member of the executive team must buy in and be part of the solution. Education and awareness are about people, and specifically, the role each of us plays and how that role is personal to every one of us and through us becomes personal for each organization.

Gary then shows us how important it is to measure what we do, and more importantly, to build a habit of learning from each breach and changing the training content so that it evolves as our threat environment evolves. Tying our metrics to our awareness program is a powerful concept and will help any team be more successful by focusing on continual improvement.

The authors would like to pose some important questions to think about as you read this chapter:

♦  What are the “lessons learned” from industry data breaches that can be used to reduce our organization’s risk exposure to these adverse events?

♦  How successful is training our staff in actually preventing breaches versus having the right software and hardware in place?

♦  Does our organization have a culture of cybersecurity awareness and do we have a program to educate our staff?

♦  What is our Incident Response Plan and how do we train staff, stakeholders and partners on how to use this plan?

The Critical Role of Security Awareness with Executive Management – Stamper

Doesn’t Every Executive Value Cyber?

Who doesn’t love the technical side of cybersecurity? With thousands of innovative cyber tools hitting the market each year, it would be easy to lull us all into believing that the security of our organizations is just a toolset or adjusted configuration setting away. Oh, that it was that simple.

Before becoming a CISO, I helped organizations comply with the requirements of the Sarbanes-Oxley Act (SOX). Our company would help management address the state of the organization’s internal controls over financial reporting (ICFR). I was responsible for assessing IT General Controls (ITGCs) in the context of financially material business applications. Our process began with a risk assessment of the organization’s financial statements to determine the materiality of business processes and capture control detail about the applications (think ERP, CRM, and other systems) that supported material business processes. With this context, we’d evaluate and assess the design and operational effectiveness of controls. Our goal was to determine what level of assurance or confidence the organization had that its financial statements were accurate, complete, and valid.

We had two types of customers. The first and rarest were those that were genuinely interested in establishing good governance practices and sound controls over their processes such that ultimately their financial reporting was free from material weaknesses or significant deficiencies. The more common group consisted of those executives that merely asked that we “make them compliant.” It was in this group that the quality of financial reporting was most suspect, and no matter how much we worked to implement, document, and ultimately transfer good governance practices to the organization, we knew that given the lack of “ownership” the governance practices would not stick. The simple reason: there was no accountability or commitment to good governance.

Embarrassingly, we would call executives from this second group “walking material weaknesses.” They put their organization’s standing with financial markets, regulators, and other critical constituencies at risk because they did not value governance. Or, as I’ll discuss below, no one explained the linkages between good governance and financial performance for their organization in a way that resonated with how they saw their role within the organization. It was like we were speaking the wrong language to this second group. It was not that they desired poor governance and ineffective controls. It was, more accurately, that no one showed this group of executives how good governance and internal control could facilitate and underpin their organizational strategy. The failure was on us…we did not communicate in a manner that was effective.

As CISOs, we see similar issues within our organizations. Some organizations take security awareness and security training very seriously and are committed to excellent security practices. Others only pay lip service to security training and education. The consequences for the latter include increased regulatory oversight and brand damage resulting from high-profile breaches. Awareness must start with executive management. It’s imperative that you help your colleagues in the C-suite understand the risks and consequences of security practices that are inadequate or incomplete. How you address this one function may have more bearing on your security program than any selected tool or security configuration. Similar to the challenges with SOX described above, leaders of organizations that do not currently value security the way we would hope may simply lack the context required to change their approach.

It’s About the People

Now back to the opening of this chapter. Cybersecurity, while reliant upon technology, is ultimately about people. Good security practices require engaged and informed stakeholders, be they the board of directors, executives, or frontline employees. One of the most critical components of the CISO role is to help drive this engagement. Behaviors that bypass the best technologies can happen without awareness, an understanding of the acceptable use of organizational assets, and the investment in the training of our teams. One need not look any further than how the best “preventive” technologies deployed are easily circumvented by well-crafted phishing emails that entice employees and executives to expose their organization’s network to bad actors. People count. It is obvious why cyber education and security awareness training are so necessary.

Matt Stamper