“Business thinks IT has a crystal ball, but the truth is the CISO doesn’t always know what’s going on.”
#7 Human factors require a reframing of security awareness programmes
Everyone learns differently, so we need to take a multi-modal approach to security training. Some people might learn better by reading a document, others will respond better to video. Still others need something interactive. You need to find out how your employees learn best.
This is especially important when you're trying to change security culture. The best way of doing so? "Don't make it all about the business."
If people have bad cyber habits at home, they'll bring those to work with them - so give them a reason to change their habits at home.
Furtado gave an example of one security leader who had "given up" on MFA. Instead, "He came up with a personal payroll protection programme that basically said, in order for you to make a change to your HR record you're going to get a message on your phone. Only after you authorise it can you go in and change that banking information. So ,we're protecting your payroll."
That programme - really MFA by another name - had an adoption rate of 90%.
"When you make it about the individual, that's going to resonate more… If we want to change the culture, we have to deal with the human animal."
Action plan:
- Develop culture change that equips users with cyber judgement skills.
- Investigate use of organisational change management best practices and social science principles, such as culture hacks - "It doesn't always have to be about the IT guy."
- Collaborate with business leaders on culture-changing activities.
- Adopt new training methods like gamification, in-the-moment nudges, real-world phishing simulation and outcome-driven metrics.
The future of defence might be unclear, but bringing in some business focus will make protection easier - for the organisation, the IT team and even the users.
Furtado ended with his advice to security leaders who were still struggling to secure investment from their leadership teams:
"Treat cybersecurity as a business risk that needs business-led investment. We need to be able to defend that investment."