hero banner

James Warren
James Warren
Vice President

See Yourself in Cyber: Prizes or Penalties?

Posted on 3 October 2022

Over the last five years, I've been lucky enough to interview hundreds of CISOs at the very top of the US Cybersecurity industry. I have spoken with CISOs at both large and small firms, in manufacturing and FinTech, leading teams of three, and three hundred.

What has become obvious to me now is that there is no one way to lead a security program, no style of management, personality, or philosophy that clearly beats another. Security leaders are a diverse group of business professionals such as CTOs, CFOs, and CEO, all with different outlooks and backgrounds. T

here are, however, a few beliefs that all, or at least the most experienced CISOs tend to have. The first and foremost is that security is a village, and the responsibility of the whole business, as opposed to just those with titles like ‘Governance Risk & Compliance Manager’ and ‘Threat Intelligence Analyst’.

It is no industry secret that most data breaches can be traced back to human error, Verizon estimate that 82% of data breaches are down to human error whilst IBM estimates up to 95% of these breaches are caused by the likes of us. But whether the answer is 82% or 95%, that’s a supermajority of incidents with a human-shaped weak link in the chain. So as a security team, you would be at your peril to ignore the biggest attack surface in the entire threat model, us.

I know we’ve been trying to tell our employees that security is everybody’s responsibility for years, but the fact still stands that even with all the fake phishing emails we can create, the responsibility of showing people how to be cyber-safe still falls back on the security team every single time.

So how do you change this?

Well, if there’s one consistency among top security leaders in this regard, it’s that it helps to be positive.

Old security phishing education campaigns used to operate by punishment. Click the wrong link? Four hours of mandatory training. Give out credentials to a social engineer? Wall of shame. Repeat offenses? Lose your job.

Security departments struggle enough with the stereotype of being the ‘department of no’ or the department that is ‘out to get people’ and making them feel stupid or naïve as part of their learning process. This is not a step in the right direction when it comes to raising the profile of department.

Positive Reinforcement could be the answer

Whilst negative reinforcement can work, most studies show it works a lot less well than positive reinforcement, and even without a tangible way to measure it, I would be willing to bet that the departments that do associate security with fear and resentment probably won’t get more of their colleagues interested in it as an overall subject.

Some of the best ideas I’ve heard on this subject take the opposite approach – using the security budget to fund raffles and prizes for employees self-reporting phishing campaigns and unusual activity.

Flag a phishing email? Whether real or red team? Get a coupon, free lunch, or entry into a competition to win a vacation or days off. If security is genuinely there to save the business money, from fines, or ransomware, or lost productivity, then make that clear to employees by offering something of value in return.

Make Phishing Positive?

Being positive when it comes to the purpose of security can also be hugely beneficial. Instead of beating everybody over the head with Armageddon-style scenarios of what could go wrong, whether these are real threats or not, can fatigue employees, and lead to more lapses of judgment in the long run.

Instead, the most modern CISOs articulate security like a seatbelt, or airbag, or - as one thrill-seeking security leader put it to me,

‘The reserve parachute and altimeter that makes skydiving safer than driving, even with a seatbelt and airbag’

The point is, nobody ever talks about these things getting in the way of commuting or falling from the sky for fun.

Framing security as a necessary component for traveling to the edge of what’s possible for a business can help drive a true shared sense of responsibility, and more than that, for something important.

Like the Houston janitor telling Kennedy in 1962 that he was ‘helping to put a man on the moon’, you are shifting the paradigm of security awareness from something that is about preventing personal embarrassment, or because you will make the security team look good, to being about doing your bit as part of the company.

If you’re interested to learn how you can make the switch to the positive reinforcement of cyber policies or you’d like to hear more from us this Cyber Security Awareness month then connect with myself and the rest of the team on LinkedIn.