I am thrilled to announce my latest research, “How To Manage The Human Risk In Cybersecurity.” It’s research I’ve been leading and evolving since 2010, changing my mind about the title with each refresh to reflect the times. In 2010, for example, we focused on “How To Communicate And Promote Security To Gain Influence And Budget,” which reflected the challenge back in those days: that security was desperately lacking in importance and influence in organizations (remember those days?).
Fast-forward to 2021: I have seen a significant elevation not only in the influence and importance of cybersecurity, but also in the human element of security. For example, human error is now recognized as a key contributor to the overall risk profile of an organization. Unfortunately, as an industry, we’re still struggling to manage this risk. For years now, CISOs have done a remarkable job of training users to understand security risks by purchasing solutions with extensive content libraries, administrative features, and assessments measuring all manner of user failures. But this focus on creating awareness falls short of changing long-lasting behavior. And CISOs know they need to shift focus to the humans on the receiving end of these programs. Many are also acutely aware that organizations with strong security cultures have employees who are educated, enabled, and enthusiastic about their personal cybersafety and that of their employer. To move beyond perfunctory awareness and training programs to changing behavior and instilling a security culture (the ABC of security), you need to do the following:
- Build a human-centric security program. Move beyond tactics and create a multiyear, sustainable strategy via a four-step plan that includes: 1) identifying key stakeholder and threat communities; 2) defining your behavioral baseline and target state; 3) creating the initiatives that will influence each stakeholder community; and 4) measuring and continuously improving the plan.
- Focus culture efforts up, across, down, and outside your organization. Move away from point-in-time engagement activities by building a strong culture at four distinct levels within the organization, taking a different approach for each constituent. Advocate at the executive level to get security visibility; rationalize investments with business leaders to assure security buy-in; communicate with employees to create a consistently high level of awareness; and extend your reach by building trust with external stakeholders.
- Design transformative security awareness initiatives. Unless people feel positive about the topic of security, the capabilities of your team, and you as a leader, you will struggle to get them to truly buy into the need for security. To do this, your initiatives need to be impactful to resonate with the audience and continuously influence and motivate the audience to behave securely. The research asks you to consider 10 design principles when creating your transformative security awareness initiatives — I’m sharing four of these with you in the graphic below.
- Start by improving the culture and influence of your own security team. The biggest obstacle to security leaders’ efforts today is the image of security itself. So transform your own team’s culture, create an environment of psychological safety for your organization (remember the Tribune phishing disaster?), and extend your influence with a network of security champions. Above all, hire people with good human-centric skills. They are what’s desperately missing not only in your organization but in our profession.
I welcome your feedback and thoughts. This will always be my number one passion in security, as it was when I entered the profession in 1999 (eek!). It will never be perfect and will always evolve, and I only learn and grow from working with all of you.