Contributed by: Stephen Gilmer
ADCG Advisory Board Member
Certified Chief Information Security Officer (C|CISO)
In July 2019, SANS Institute released its fifth annual SANS Security Awareness Report (SAR), which looks at how organizations manage a common risk: human error. While the report shows some positives, it ultimately demonstrates that the state of cybersecurity hasn’t significantly improved over the last 20 years. Using a 1 (low) to 5 (high) rating model, almost 54 percent of respondents reported that their IT program functions at a 3. The report digs into this data and outlines a few troubling themes:
The main issue plaguing organizational cybersecurity awareness is the lack of attention dedicated to cybersecurity awareness training. More often than not, employees charged with administering training programs do not have a job title that allows them to be dedicated to the demands of the role. The responsibility of training employees tends to be an “add-on” to another job, and 75 percent of professionals in training roles are part time.The SAR noted that time and budget are often the biggest drivers of this deficiency:
Awareness programs typically receive strong support from key departments and roles, including communications, security, and senior leadership, but many programs continue to struggle with support from their operations and finance departments. This remains unsurprising, as most awareness programs have a significant budget and operational impact on the organization.
So how does an organization improve its cybersecurity awareness training? The leadership should start by ensuring the person tasked with leading them has an appropriately committed job description. The SAR notes a correlation between the number of training-dedicated full time employees (FTE) and cybersecurity awareness. Two FTEs shows user improvements in “Behavior Change”, while four FTEs shows improvements in “Culture and Metrics.”
From there, the finance department should be made aware of the benefits of an appropriately-sized cybersecurity budget, and of the costs incurred by insufficient preparation. Most cost-benefit analyses will show that the cost of a data breach, including noncompliance fines, and legal fees, typically exceeds the cost of awareness training. And from an operational standpoint, reducing the number of security incidents affecting a business means improved production, efficient expenditure of time and money, and lower potential for reputational damage.
Part of constructing an appropriate budget means remembering that while time is money, money can buy time. Purchasing content that can be distributed within your organization allows the trainer to focus on improvements, instead of the surprisingly arduous and time-consuming task of producing engaging content. Content for purchase ranges from online videos, newsletters, and posters, to interactive websites and video games that can be used to educate a workforce.
By following the same line of thinking, organizations should also consider making their cybersecurity awareness program a benefit program. Some companies are extending protection and awareness training beyond the enterprise and into employees’ homes in the form of protection software and training materials. This teaches employees good cybersecurity hygiene, something that, on a micro scale, functions similarly to personal hygiene: employees who have good cyber hygiene at home will be more likely to bring those good habits to work.
As we enter a new decade, it is critical that companies work to create a cyber-resilient workforce. Focusing on trust, data privacy and protection, and compliance as part of awareness training provides business leaders and employees the skills they need to protect themselves and their organizations. And it sets a good example: the SAR found that when companies complete benchmarking, and find their peer companies are investing in training, they will respond in kind. Making these principles part of an organization’s cultural DNA is critical to building a loyal and engaged customer base. And in the long run, it’s good for your bottom line.
About Stephen Gilmer
Stephen Gilmer is a Certified Chief Information Security Officer (C|CISO) with more than 25 years of experience as a technical expert and executive leader focused on securing technology companies’ most sensitive and valuable data and systems. Stephen previously was in-house CISO at both a biotechnology startup and at two Fortune 10 aerospace, defense, and technology companies. In these roles, Stephen designed and implemented sensitive data and IP security control programs; shaped policy at the national level and security framework formation; and proactively resolved complex investigation, audit, and regulatory oversight issues.
Stephen is a Six Sigma Black Belt who led the transition of the IT infrastructure of a private start-up to address the regulatory and operational requirements of becoming a publicly-traded company. As a CISO executive in an aerospace defense company subject to a consent agreement with the United States Government, Stephen also led global cyber investigations, risk analysis, engagement, and mitigation controls necessary for the organization to successfully navigate oversight requirements and re-establish credibility with Government customers. Concurrently, Stephen built and led the cyber security components required to support winning and executing multi-billion dollar government contracts.
Stephen frequently speaks at global cybersecurity conferences, publishes articles on the business necessity of proactive cyber risk management, and advises on and conducts cybersecurity education / training for corporate leadership including the Board of Directors, the C-Suite and Compliance Officers.