Rock star CISOs
The benefits of employee awareness have been discussed ad nauseam. Both research and experts agree that employee awareness and cyber-security posture are positively linked. However very little has been discussed on how the CISO benefits from raising employee awareness both personally and professionally.
Obviously, any manager wants to advance their career by performing well and displaying positive results. With CISOs and CSOs, it’s a bit more difficult. Metrics are difficult to create and gauge, their work is usually perceived as a mysterious necessary evil no one wants to get into and of course – it’s extremely difficult to prove positive ROI on any information security project. In this environment, it’s no surprise so many CISOs, CSOs and cyber security managers reduce their focus to technical issues and avoid the corporate management scene.
Enter Employee Awareness.
As aforementioned, employee awareness is an important part of a sound cyber security strategy, BUT also one that cyber security managers can harness to promote their own personal and professional brand in the company and outside. When working with CISOs and CSOs we, at Maya Security, see the importance of making those managers shine. Not only because we like them but because a popular and accepted CISO will lead cyber security better, more efficiently and have greater success in promoting cyber security projects with senior management and getting their support and funding.
Following are a few ways we achieve better status and positive visibility for CISOs and CSOs:
1. WOW employees
Sending out a recycled newsletter or showing stale videos that look like PBS shows got old. As human attention span keeps decreasing, catching employees’ attention takes some effort and experience but here are some quick wins:
Use video clips (buy or create them yourself) which are short, concise, humorous and relevant to your employees’ work or home.
Bring in expert lectures. It is said that a picture is worth a thousand word. If so, then a short presentation of a professional hacking a phone and using its camera and microphone without the user’s knowledge is worth a thousand days in awareness training…
Translate to Human. Understand that most employees don’t understand the jargon. Too much detail will lose your audience. Keep it Simple.
Train, don’t preach. Give your employees the tools they need to withstand a phishing or other cyber-attack. Point to red flags that are indicative of an attack. Describe exactly what steps the employee should take when suspecting an attack.
2. Campaign Awareness
Don’t limit yourself to the employee’s monitor. Put up posters signs, give out prizes and swag, have contests and prizes. Well, you get the idea…
Repeat campaigns and simulated attacks to achieve steady progress.
Campaigns should be rolled out every 12-18 months.
Phishing attacks should be spread out no more than 4-8 times a year.
3. Involve Management
Management involvement is important in any project but here it’s not only about support and budgeting but also about showing employees that awareness is important to management and is an organizational goal.
4. Simulate Attacks
Having gone through simulated attacks gives employees the knowledge and confidence to quickly identify an attack and resist falling for it.
Attack your employees via email, internet pages, phone messages and any other attack vector you can simulate. Every attack should be followed by constructive feedback (both for failure and success) and short training to better identify and block this kind of attack.
5. Measure Progress
Measure progress. Nothing displays success better than graphs and pie charts. Presenting hard evidence of success in well-designed reports and PowerPoint presentations shows that you’re on board with corporate leadership, that you can talk the talk as well as walk the walk.
Use short, fun quizzes to gauge success and track employee response to simulated attacks.
Measure individual and overall progress.
Constructively help low-performing employees.
Present hard data to senior management in a professional manner.
6. Celebrate Success
Publish campaign results
Emphasize on progress made
Offer additional material for interested employees
Circulate success data.
Thank employees for participating.
Transforming your position from the disgruntled professional to an outgoing, helpful and concerned manager takes work but it’s crucial if you’re serious about your company’s cyber security and your career.