Chief Information Security Officers (CISOs) across the Global 2000 and Fortune 1000 are obsessed with protecting the workforce endpoints as critical vulnerabilities in the cybersecurity and risk management posture of their enterprises. CISOs focus on cybersecurity controls that operate mostly transparently and are focused on mitigating the potential risks to the computing infrastructure’s susceptibility to being breached as a result of actions taken by users, such as clicking on a malicious hyperlink in an email, visiting a malicious website, inserting a thumb drive, or any number of careless actions that might cause immense damage. These actions and their potential for disaster cause CISOs to greet every day with an anticipatory grimace.
What if, for the sake of conjecture, there was a way to transform the workforce and its culture from an entity in need of protection, into a workforce that actively contributes to the cybersecurity and risk management defenses of the enterprise? Would a risk-conscious, security-aware workforce become a security enabler rather than a security risk? Should a risk-conscious, security-aware culture be considered a critical security control?
The Verizon Data Breach Investigations Report (DBIR) identifies email and its attachments as the number one threat vector. The perimeter of today’s computing enterprise is people, as opposed to systems and networks, and the sophisticated attacks that are being conducted by hostile threat actors are targeted at people. Creating a risk-conscious and security-aware culture within an organization can provide as much, or more, protection to an organization’s information infrastructure and associated data assets than any technology or information security controls that currently exist. A risk-conscious and security-aware culture is critical to improving the overall cybersecurity and risk management posture of an enterprise. Cyber threats and the adversaries behind them are becoming more advanced and daunting, and a culture that has risk consciousness and security awareness embedded from top to bottom is significantly more hardened than a typical enterprise. A culture that is risk-conscious and security-aware turns people from assets that must be protected into assets that actively contribute to the cybersecurity and risk management posture and elevates security to being a business enabler rather than a business impediment.
As obvious as such a concept might seem, it remains the case that most enterprises consider security awareness to be a one-hour-per-person-per year compliance exercise. It’s a near-certainty that any enterprise that treats security awareness as a minimal compliance drill is an enterprise where the likelihood being attacked and breached is very high.
Cybersecurity and risk management in today’s computing enterprise is not a spectator sport. It begins at the top, where leadership must embrace effective cybersecurity and risk management as a business enabler and set the risk appetite and tolerance accordingly. Leadership must also practice what they preach on a continuous basis, and hold accountable its executives for the effective risk management posture of the business units they control. Security then becomes imbedded in the culture through continuous messaging of leadership’s priorities, relentless but enjoyable and rewarding awareness exercises, positive reinforcement of good behavior, incentives for proactive actions, group events with industry leaders, celebrations of success, and any such initiatives that reinforce a culture that embraces security as an essential element of the employee’s work-life balance.
According to research conducted by the Ponemon Institute, the average total cost per breach has increased from $3.54 million in 2006 to $8.19 million in 2019. The indirect and hidden costs could be much higher. Any reasonable cost-benefit analysis or business case analysis would suggest that an effective campaign that creates a risk-conscious, security aware culture would be a critical control in need of implementation.