Alex Nixon from Kroll advocates for a more considerate and nuanced approach to security as a culture, supported by an understanding of shared responsibility by modern-day employees.
The conventional approach to cyber security views an organisation’s employees as material sources of cyber risk. This perspective, while not wholly inaccurate, clearly sets apart security practitioners from users, and assumes that the latter acts in a manner that is inherently risky – be it from ignorance or malice – the former makes little differentiation.
It also doubles down on an approach that does not consider the modern cyber risk landscape, nor the motivations of today’s employees.
This rather traditional approach focuses on the possible negative consequences of employee actions and then attempts to react to them, rather than giving the workforce the opportunity to form a part of an organisation’s proactive defenses.
Many prevailing methods used to drive this messaging reinforce this outdated approach, which characterises an old-fashioned compliance-driven approach to security awareness that has long made this just another “tick-the-box” exercise.
Cost and time are scarce resources when it comes to addressing security. Armed with an endless supply of both, an organisation can theoretically implement all of its desired security controls.
When it comes to assessing cyber risk and determining effective mitigation and response strategies, most boards and their chief information security officers are forced into an often unwelcome cost-benefit analysis in which they must define an acceptable amount of cyber risk, particularly within an expected time frame.
While implementing adequate technical controls is a fundamental part of security practices, most security teams do not have an unlimited budget with which to implement every possible control. Organisations should therefore pick the controls that are critical to its organisational context and seek to do those well.
Complementing those selected technical controls to safeguard a company should be an educated, motivated workforce.
Given the natural propensity for humans to make mistakes from time to time, they have traditionally been considered a weakness in an organisation’s security posture – rather than a strength which can be cultivated with the right approach.
In a more progressive approach, today’s organisations should be asking their employees what they want to protect when it comes to staying safe online. In most cases, employees will clearly express a desire to protect their home lives and their loved ones.
Rather than treating this perceived “self-interest” as a conflict for the organisation, businesses can recognise that by teaching their employees how to protect themselves at home, they can also in turn transform employees into a strong security control for the organisation.
By giving employees the tools and knowledge to protect and defend themselves outside of work, they develop an implicit understanding of overarching security behaviours which can be carried with them into the workplace.
In short, their mindset has been fundamentally altered. By being taught how to protect themselves outside of the workplace, employees bring these behaviours to work each day.
This is the key to security cultural change, and compliance-based training alone cannot achieve this shift.
Security culture change cannot happen when security is baked into the old adage of “the way we do things here”. It is not enough for an employee to be told that they must not click on a phishing email – they need to understand why and how to spot those emails.
This is particularly critical given the global shift to working from home and hybrid working. We can no longer rely on the hive mind present at the office to spot scams. Every employee must be empowered to defend the organisation in their own capacity and by themselves.
The proposed approach is to teach employees lessons for life – lessons that they can take away and practically apply at home to themselves and their loved ones, which can then become second nature in the workplace.
This leads to a mutually beneficial outcome in which employees recognise that their organisation is choosing to invest in and upskill them, and the organisation thus reaps the benefits from empowering employees to defend their personal lives from cyber attacks as they bring those behaviours into work.
This boosts organisational cyber resilience and increases return on investment in security awareness and, in doing so, transforms employees into the ultimate security control.
Alex Nixon is the senior vice president and country head of cyber risk for Australia at Kroll.