Cyberattackers around the world have turned people into the principal attack vector. The cyber attackers are increasingly targeting people, as the Verizon Data Breach Investigations Report 2022 It is people rather than technology who are now posing the greatest threat to companies, as evidenced by this report. According to SANS 2022 Security Awareness ReportThe top security concerns security professionals fear about include ransomware, BEC (business email compromise), and phishing. All three are closely connected to human behavior. The professionals responsible for security awareness are crucial to managing human risk.
An organization’s capacity to successfully identify, manage, and quantify its human risk can be used to gauge the maturity of these awareness initiatives. The following are some examples of organizations that may use the Security Awareness Maturity Model SANS Institute created this tool to evaluate the maturity of awareness programs.
Security Awareness Maturity Model allows organizations to benchmark their current security awareness program maturity and to determine the best path forward.
SANS also found that those who have the greatest number of people dedicated to supporting and administering security awareness programs were the best. The larger groups are better at working with security teams to track and prioritize human risks. They also have the ability to motivate, engage, and train their employees to address these hazards. It is important to demonstrate that awareness programs do not just provide training for compliance, but also help firms manage human risks effectively. This will be a key factor in winning the support of senior leaders.
SANS 2022 Security Alert Summit was held August 3-4 2022. Its goals were to create mature, effective security awareness programs as well as share best practices. This summit was mixed and I had the privilege to observe it from the safety of my own home in Greece. Here’s what I have learned.
A behavior-first mindset: How to adopt it
Cassie ClarkBrex’s Security Awareness Engineering Manager discussed the reasons behind each behavior in her presentation. These drivers can be either individual – knowledge, motivation, biology and automatic thinking – or external including social codes Experience.
You can change behavior by identifying the root cause, focusing on it, then making small changes. Organizations must embed security in everyday operations, simplify security, and provide technology support to help them achieve this goal.
Cassie Clark offered a guide that can be used to help you get started, and it includes these steps:
- Collaborate with security personnel to pinpoint top three behavior that needs tweaking
- Choose one behavior to make a list.
- Behaviour can be incorporated into security messaging. Avoid message fatigue and noise, respect different learning styles and make use of social proof.
- Start collecting data
- The approach should be socialized with leaders
Move beyond awareness
Alexandra Panaretos, Americas Leader for Human Cyber Risk and Education at EY, kickstarted her presentation by posing an interesting question: “What if we didn’t focus on who we are now, but who you could become?” What would it take to enable secure business operations?
This goal can only be achieved if human risk is successfully reduced. Panaretos identified the following key components of human risk reduction success:
- Get involved – Create role and risk based activities and communications to deliver the right message, to the right person, at the right time to support desired security behaviors
- Allow – Provide employees with the knowledge and the tools to demonstrate appropriate security behaviors and make appropriate choices when faced with challenges
- Do it – Integrate cybersecurity into the role and daily lifecycles of the business
- The Evolution – Secure culture builds on trust, effective communication, and positive experiences with security team members
Conversations can be a powerful catalyst for change
Sarah JanesLayer8 CEO, and owner of Layer8, shared his insights about how security champions can promote culture change through collaboration and conversation. The scientific basis for this approach lies in the research. organizational culture Edgar Schein appreciative inquiry David Cooperrider
Janes proved that security leaders can change behavior if they use the following formula (conversation + collaboration) * positive focus. Because security professionals are active and more engaging with their coworkers, it reduces risk.
Sarah Janes finally offered a path to changing behavior.
- Define behaviorTo find the best behavior, champions are a great way to help you.
- Accept your key resultsJoin the dots to see how stories have an impact on numbers
- Locate data sourcesChanges to system are more straightforward if you have a clear line of sight for business risk
- Receive the dataCreate awards and gamify but still be inclusive
- Provide the dataUse case studies of other businesses
- The data can be usedData can be used to create a business case that will attract more champions
What can you do to make developers love security?
Madeline Howard And Sophia Adhami Sage spoke about the process they used to develop secure software. Understanding the developer world was the first step. Interviews were conducted with AppSec employees, product owners and security champion managers. They attended every team meeting. Their goal was to understand the developer mindset – the tools they use, the complex technology environment, what makes them tick. Howard and Adhami wanted their understanding to help build respect for their abilities.
They used the results of the internal research to develop the infrastructure to facilitate the change and ultimately engage the developers. AppSec executives set the tone, making security their top priority. Then they created messages that would be communicated to developers. To understand the dangers of unsecure code, all developers had to undergo vulnerability and technology training. Motivation was provided through awards and recognition – security champion wall of fame, CISO emails, prizes and t-shirts, articles on the intranet.
Howard and Adhami measured the impact of their project from its inception and were able demonstrate to both the leadership and to developers that this strategy had reduced time spent fixing flaws.
This use case is a great example of what you can learn from it.
- It doesn’t matter if you are technical. Willing to listen
- This isn’t a way to invent a new culture. Your alignment of cultures. Security is being added to ensure that all of us pull in the exact same direction.
- Your technical colleagues are eager to do right by you. Engage them!
There were many more interesting presentations – for example the Equifax use case of how the company transformed their security culture following the 2017 incident – that all demonstrated the importance of focusing on the human element of cybersecurity. Each organization is defined by its culture. Your culture should be transformed to enable security within your company processes. Building a security awareness program that works is possible – just look at that the success stories from other businesses in your industry and adapt best practices to your organization.