CISO interview: Joshua Douglas, TRC Companies
Human error is involved in over 90% of today’s cybersecurity breaches. Sometimes it’s carelessness, sometimes it’s maliciousness and sometimes it’s things going wrong with the best intentions. No matter what, users need robust, comprehensive awareness training around cybersecurity.
We recently asked Joshua Douglas, CISO of TRC Companies and a member of Mimecast's Cyber Resilience Think Tank, to share his thoughts about the state of user cybersecurity awareness training and why it’s so critical in the fight to keep organisations safe.
How can humans help or hurt an organisation’s cybersecurity program?
Information security programs either fail or succeed on one of four key Cs:
Out of all of them, culture is the hardest to change and move the needle, but at the same time it is the one with the most direct impact on security and the other Cs. When you can change the hearts and minds of humans, they ultimately drive success for cybersecurity, overcoming perceived boundaries.
In your opinion, do enough organisations take the human element into account when it comes to security planning?
In general, immature organisations do not recognise human involvement as the factor to success because they believe that great technology will win the arms race in an increasingly hostile environment. Successful security programs have to combat cybersecurity threats with educating their teams first since cyber security is a shared responsibility and technology is fallible.
Should there be an onus on employees to educate themselves on good security practices and the latest email-based threats?
Everyone, regardless of being an employee or not, owes it ourselves to become more educated on how cybercriminals and nation states are targeting individuals to disrupt our lives and businesses by the very means we are performing digital transformation to accelerate our world into the digital revolution.
What are the top five “bad” things employees do at work when (they think) no one is watching?
Employees in general are not doing bad things on purpose nor out of malice, but they are inadvertently.
- Opening emails from people that they do not know
- Clicking on links without validating them
- Opening attachments without care
- Intertwining their work and personal lives thus putting companies at risk
- Failing to adapt processes to protect personally identifiable information
What is cyber awareness training and what are its benefits?
Cyber awareness training is educating individuals on what potentially risky situations look and feel like so that they can make smart choices to avoid potentially disastrous situations. By having a strong awareness training program, you extend your team and prevent incidents from happening when technology and processes fail.
What are the consequences of NOT providing regular and ongoing cyber awareness training?
An organisation is always in flux which means that new employees are coming and going and the only way to keep cybersecurity awareness alive is to provide continuous training so cybersecurity is top of mind. Without that regular training, your culture will suffer and people will then assume everything is fine with no reinforcement of vigilance.
What are some best practices for an organisation to start to make awareness training part of their culture?
The awareness training should be easy, short and supported by the leadership team. This should come with regular KPIs on participation rates and effectiveness with testing of click-through rates.
What role does “behaviour” play when it comes to security awareness training? How do you identify and track it, and how do you change it over time?
Behaviour can be tracked in a couple of ways:
- Does that person take the training?
- How often do they take the training?
- Does their leadership take the training?
- When tested, do they click on items?
- Do their actions upon having a real-life event change?
Some of this can be tracked systematically, others involve discussions and tests of their abilities, but can also be gamified to make people compete against one another. These KPIs can help them change their behaviour. In some cases, a personal event may cause them to change at which time if you can explain to them how this happened, will create an ambassador for your cause.
How can organisations use behaviour as a tactic to reduce cyber risk?
Organisations must realise that the carrot approach is far more effective than the stick. We often want to punish those that do bad but fail to reward those that do good as it is expected behaviour. To do this, showing and sharing the KPIs of awareness training and the impacts of incidents to their employees will empower a positive culture to influence behaviour.
How can employees help strengthen an organisation’s cyber resilience strategy?
Employees should take their training and challenge their information security teams to involve them in the shared responsibility of securing their organisations. They should also become brand ambassadors if they have personal interactions due to cyber threats.
What are steps an organisation can take to implement behavioural risk scoring and awareness training into their cyber resilience planning?
Every organisation needs a solid plan to implement a cybersecurity awareness program that can provide key KPIs that should how effective the training is and how it creates a trend in changes amongst its employees. Without solid mathematical data, you cannot track behavioural changes.
Organisations seem to know that training employees is critical. Why are so few actually doing it? What’s causing the gap? And how can we close it?
Simply put cybersecurity teams are afraid to rock the boat. There is a fear to create organisational impacts that can impede productivity. If your training program only offers 20+ minute long trainings, you cannot do that monthly. Since training is not always a cybersecurity expert’s forte, they fail to look for training packages that can provide micro-trainings nor do they partner with HR or their training teams to get more creative to address the human element.
This interview was previously published here.