Do you want to stick to a security awareness program? Make it fun and personal-and provide free lunch. (Photo: mamypuk via Adobe Stock)
If you are a security director and want to improve your organization’s defensive posture, please ask your human resources director to drink coffee. It works for Steve Luczynski.
Steve Luczynski, currently the head of the COVID working group of the Cybersecurity and Infrastructure Security Agency, told a story about how coffee conversations can significantly improve security awareness when he becomes the new CISO of his former employer? It is “mature” but safe. There is still a lot of work to be done.
He said: “What has not been fully developed is a security program.” “People don’t understand the role and importance they play.”
His task is to develop an enhanced security plan as quickly as possible. Luczynski soon started chatting with Valerie Utsey, the current chief human resources officer of T-Rex Solutions, and she suggested some ways to introduce culture into his plan.Although he has added some security awareness changes, such as monthly training instead of annual training, Utsey believes there is still room for improvement
She said: “Many employees still respond in the same way they always respond to things that take time in their daily work.” “I think Steve might learn something from my experience in developing the company’s culture. ”
At RSA’s RSA conference on “Working with Human Resources to Build a Cyber Security Culture”, Luczynski and Utsey explained how they worked together to make security more personalized and meaningful to employees. The goal is to transfer safety training and safety awareness from the process daily to the embedded part of the corporate culture. This is a task that Utsey believes can only be accomplished through collaboration.
She said: “He has a heavy, unstable thing, he wants to move on his own.” “Regardless of the size of the company, I hope that there are people who can work with to further promote your business.”
Some of the new initiatives taken by the two companies include allowing employees to start using security at the beginning of their employment. Instead of inviting 60-minute mandatory training videos and tests, Utsey began to invite Luczynski to personally talk to new employees during induction training. The two also started working together at lunchtime and learning safety activities. Although the free lunch has never been hurt, Utsey said that the fun atmosphere and friendly competition make employees full of professionalism, interest and motivation to learn.
The benefits are measurable. For example, the company found that the click-through rate for phishing dropped from 30% to less than 3%-and has remained at that level. Luczynski also pointed out that he found that employees meet the monthly training requirements, and repeat offenders-employees who have clicked on bad links multiple times in the past-have improved and no longer fall due to phishing bait.
Employees are your best asset for safety
At this year’s RSA conference, another conference in the field of human elements echoed many lessons of Utsey and Luczynski. In other words, safety training needs to be frequent, personalized, interesting and engaging, and it takes time to complete all of these tasks in the awareness program. A high level of consciousness will not happen overnight.
In “Using Human Risk Data to Enhance Cyber Resilience,” Masha Sedova, co-founder of Elevate Security, and Michelle Valdez, Chief Information Security Officer of OneMain Financial, discussed the shift in security awareness of OMF’s shift to the left style and Valdez described it as “forward defense.” Overall strategy.
Valdez said: “If you invest in educating employees and take the time to teach them good security decisions, then you will start to see value added.” “We are now beginning to spend more time on tuning and tools so we can defend Move forward and reduce cleanup time.”
Valdez said the forward defense approach is based on multiple components designed to capture a series of events that occur when employees make poor security decisions. they are:
- Understand your human risks at the individual and organizational levels. What good and bad safety decisions will your employees make?
- For areas of advantage: Strengthen and focus on good performance to establish a positive safety culture.
- For areas of improvement: a tailor-made guide for what employees need to do better and why.
- Adjusted control and security tools according to various risk areas.
“Take time to understand the risks employees bring to your environment at the individual and team levels.”
Valdez said that information security leaders can focus on rewarding good behaviors and correcting bad behaviors through targeted training. The goal of the presentation is the key word. It also suggests collecting data that breaks down risk behavior by department and providing specialized training for each team when needed.
If left unresolved, employees will continue to be a topic called “quick sand” in security defense. After personal and proper training, they can become the greatest asset of the security team in defense.
Sedova said: “This is one of the most critical areas of security innovation today.”
Although many security leaders may consider employees to be the biggest risk to the organization, Valdez recommends putting the script back in place. “If you take the time to help them understand their role in protecting the company and how everything they do every day works, you can transform the company into a strong, network-adaptable workforce.