Andrew Rose, Resident CISO, EMEA at Proofpoint
Security leaders recognise that the human factor is now at the forefront of their fight against data breaches and cyberattacks. This is highlighted by the 2021 Verizon DBIR which states that 85% of successful cyberattacks leverage a human element, and that social engineering was the most prevalent attack pattern across the year. Meanwhile, 70% of CISO’s in the UAE and 69% in Saudi Arabia claimed human error to be their biggest cyber vulnerability.
Employees have been unfairly labelled as “the weakest link”, “the first line of defence”, or more worryingly, “the last line of defence”. But each of these labels is misleading in some way – the truth of the threat landscape today is simple – people are your primary attack surface.
When the majority of attacks specifically target your user base, seeking to encourage them to click on a malicious link, disclose login credentials, open an attachment, or simply pay a fake invoice, the creation of a strong security culture to detect and repel these attacks seems an obvious choice.
Why is this, then, something most CISOs struggle to achieve?
One main reason is that culture must be crafted – carefully designed and constructed – and many security professionals lack a clear vision of the intended outcome. Many firms already have an intrinsic culture, however to a security professional, the path to changing or updating this is rarely clear. Improving cybersecurity education and awareness seems like it should work, but unfortunately has diminishing returns and more should be done to change the behaviours of employees.
The current reality is that user awareness doesn’t lead to behavioural change. Proofpoint’s recent Voice of the CISO Report demonstrates that while 69% of CISO’s in the UAE and 62% in the KSA believe employees understand their role in protecting their organisation from cyber threats, nearly 70% still consider human error to be their organisation’s biggest cyber vulnerability.
So, what is the vision and roadmap for a great security culture?
Every CISO wants the entire employee base of the organisation to be part of their extended security team, aware of cybersecurity threats and their role in both creating, detecting, and managing them. They need employees to continually exhibit the correct behaviour, make sensible security choices, and escalate dilemmas when operational conflicts arise.
This vision requires a commitment from both sides.
- The employees must perceive the value of good security, the peril of its absence, and be able to recognise when their cyber-savvy needs to be engaged and when issues need to be communicated.
- The security team should dedicate time and attention to ensuring that staff are always fully briefed on the techniques the attackers may use and can recognise threats in their many forms. This education must be continually refreshed to keep pace with the current cyberthreat landscape and the latest tools and tactics.
There are three milestones on the journey to a successful security culture.
- The first is the common model of a CISO pushing the security message to staff, trying to influence them to understand and act appropriately. This meets compliance requirements and addresses core ‘awareness’ needs, but its effect is limited and continued effort fails to move the needle. This is where most firms are – the CISO is the sole ‘voice’ influencing staff to make the right choices.
- The second stage represents a breakthrough – a switch of focus, where ‘awareness’ becomes part of a larger goal – that of ‘behaviour change’. Drawing from the wider sources of behavioural science, the programme focusses on influencing staff to change behaviour, even when under pressure. As this stage is achieved, employees have two ‘voices’ influencing their actions – the CISO’s, and their own internal narrative. This should enable staff to push back on unreasonable requests and expectations, but it’s not infallible – line management priorities, volume of workload, or social pressure can derail the user’s best intentions.
- The final stage is achieved when consensus builds, and the prospect of good security behaviour becomes an expectation from the wider community. The ‘peer pressure’ builds and deviation from the secure path becomes less socially unacceptable. At this stage, staff now have multiple ‘voices’ supporting the correct behaviour – the CISO, their internal voice, and the voice of everyone around them.
This final stage, where the corporate expectation is that security will be a priority, is the end goal. To many, it may seem a distant dream, however it is achievable.
Security culture needs to be company-wide and not just a concern of the CISO. When all employees take personal accountability and ownership of security in the same way that, for example, airlines or oil rigs do about safety, then we will enjoy the true benefits of a ‘security culture’.