Optimising the Human Element of Cyber Security
Human error is the most common portal for cyber security breaches. So, it stands to reason that human talent is the most valuable defence against attacks. How can organisations reduce risk by making humans the strongest link in the cyber defence line?
We invited a group of CISOs, cyber security directors and information security heads to discuss their organisation’s optimising the human element of cyber security and more about:
- Understanding why the human element poses risks
- Training and retaining staff in the face of a changing landscape
- Building a culture of resilience and preparedness
- Managing insider risks, both accidental and malicious
Rela8 Group’s Technology Leaders Club roundtables are held under the Chatham House Rule. Names, organisations and some anecdotes have been withheld to protect privacy.
RangeForce believes in levelling up SOC and cyber security professionals through advanced cyber security defence training while accurately and quantitatively assessing your team’s existing skills. See real threats in action and sharpen the skills needed to defend your organisation with interactive modules, challenges, and team-based threat exercises that reflect the real world.
The human element
In our age of digital transformations, businesses are easily swept up in what the latest tools and platforms can offer them. It becomes easy to forget that regardless of technical investment, the human element remains. Unless businesses start optimising their human investment alongside their technical investment, the human element of cyber security will continue to pose risks. Traditional methods of increasing security engagement have never seen the levels of success needed and understanding why, is the first step to being able to optimise.
Lessons to be learned
Annual security compliance courses aren’t fit for purpose. Security engagement needs to go further than simply forcing staff through tedious training courses and getting signatures on a sheet. The security landscape is ever changing and therefore any training needs to reflect that. Security engagement needs to be an ongoing campaign that provides relevant training. Go a step further by creating personalised and tailored courses for individual teams, in doing so empowering them to better understand why security is relevant to them and to take responsibility for it.
Security teams are often too busy to dedicate the necessary resources to run engagement campaigns, meaning they become an afterthought and fall flat. Instead, allow and encourage other team leads to run security programs for their teams. These security champions will spearhead the efforts of security engagement and ensure that individual courses are team specific.
Businesses shouldn’t be afraid to experiment with what a security engagement training program looks like. Maybe it could be a video? Open forum discussions with questions from the wider business? Is there a way this training could be made easily shareable? Most importantly, ask for feedback. If some people are finding the training boring and uninspiring, ask why. If it’s too simple, develop advanced courses and encourage people to challenge themselves. Ultimately, businesses need to be involving those they are trying to engage in the security process.
Struggling to get investment from staff? Never underestimate human vanity. Businesses that published individual team sign up levels saw a massive increase in engagement simply because no team wanted to be at the bottom of the list.
Retaining your staff
The COVID-19 pandemic has massively shifted the employer/employee power dynamic. Staff are reprioritising what is important to them, causing mass resignations. An exodus of security staff opens up vulnerabilities and hiring experienced talent has never been harder. Businesses quickly learnt that standardised roles were no longer tenable, and training staff up to be able to float between roles was the only way to ensure the team could be flexible and adapt to requirements. This was enabled this by making it policy for staff to spend time shadowing other team members and bolstering that knowledge transfer, something that is particularly important for understanding a role’s esoteric quirks, an understanding that is easily lost should key staff leave.
When hiring new people in this landscape, it has become far more important to look for personality and culture matches as opposed to skill and experience. To that end, promoting staff from within or transferring those from other teams who are interested in cyber and investing in them, builds upon existing loyalty. Skills can be taught but fostering this culture of loyalty and resilience comes down to staff personality. It’s also important to look at why staff are leaving and whether or not those issues can be addressed. For example, if it’s a matter of pay, it’s worth remembering that it is far cheaper to pay more than it is to recruit.
A large part of building a security culture comes down to perception and messaging. Security and IT are often conflated, and messaging gets confused. Creating clear distinctions between IT and security provides security teams with a clear identity and agency within the business. With this, security teams can sit at the table, not as a subordinate of IT, but aligned with other C-level peers. Once security is seen as a recognised identity within the business, you can start increasing knowledge and understanding.
As the business becomes more aware of the challenges of security, responsibility can be shifted onto other teams. Work with developers to ensure that security is built-in from the beginning, making it harder for users to make mistakes going forward.
Culture has become an important part of dealing with insider threats, both accidental and malicious. With more interaction being remote and fewer social interactions, businesses need to work harder to demonstrate their values as staff are more conscious of business activities and reputation.
The mindset and culture of younger staff coming up into roles is also important. Younger staff aren’t content to spend each day on menial work, waiting for an opportunity to do something exciting. They want to improve, progress, and be celebrated when they do good work. Without this, staff get frustrated, disengage, and leave. Allow your junior staff to shadow more experienced team members, giving them a sense of a more exciting day-to-day and encourage inclusion. By getting a sense of what their job will become, they are given hope for where the future can take them.
Investment is key
In the same way as we would fill our cars with oil to keep them running, so too must we invest in our staff to ensure that the human element of security risk is managed. Security engagement campaigns need to be constantly reinforcing security’s profile within the company. Not only that, but they need to be tailored and relevant to ensure that they continue to provide value to your teams.
When speaking to the board about investment, make the conversation one about risk. Remind them what is being protected and what could be lost in an attack. A significant cyber threat event will happen, prepare them for that eventuality. Great security practices also enable the business, both clients and business partners value security. Security shouldn’t be seen as a cost centre purely because they don’t see tangible returns. Repackage these costs as a key asset for the organisation.
The human element of security doesn’t need to be a chink in the armour. Effective training will go a long way to combatting the problem, and most beneficially, will work to resolve the problematic ‘us and them’ narrative within security. Security is everyone’s responsibility, the sooner that is realised, the sooner the human risk can be eliminated.