A large majority of CISOs still struggle in engaging business people on cybersecurity issues
We need to recognize with humility that a large majority of awareness campaigns have not produced expected results, even more facing the worrying rise of the threats and the never-ending increased sophistication of malicious actions to get people falling into traps.
This is mainly due to :
- Cybersecurity teams working in silo to design and implement awareness campaigns : thus using their words and ways of approaching cybersecurity, mainly through their technical and expert lenses and not through the lenses of the audience they want to influence. Not to say that the strategy of hammering the idea that end-users are the weakest link, that the problem lies in the ones sitting between the chair and the keyboard, led people to avoid doing anything in the fear of doing something wrong rather than taking positive actions to solve the issues.
- Spreading messages around in a non-business related way : if you’d like people to change behaviors (which requires efforts, let’s always remember this), they are to be able to
- understand how it relates to their daily business tasks
- be certain that they will get something back in doing the effort of investing time and energy completing tasks that might be considered out of their scope of responsibilities
- be clear on what they can realistically do
- Focusing too much energy to get cybersecurity in the CEO agenda, to get a seat at the board level, with technical vocabulary which is largely impenetrable for leaders.
A blindspot : the under used potential of the management line to establish a cybersecurity culture at every level
Having implemented programmes to change behaviors and develop new skills across a large variety of geographies during twenty years, I learnt that it is unlikely people to move out of what is being known as their comfort zone (what they used to do for many months/years and it has always well worked this way), if you do not engage first with the management line. Why this ?
Firstly, because managers are the ones setting people objectives, reviewing and assessing performance that leads to salary review and career progression. Thus, if anyone’s manager does not set any specific objectives related to cybersecurity, why caring about it ?
Secondly, because the management group is the go to people when you have questions, when you are unclear on why doing something, what to do or how to do it. In addition, if someone did something wrong (such as clicking on a link or opening an attachment and realizing that it might have been a phishing email), if this person is operating with a manager who has established a kind culture where doing an error is an opportunity to learn, this will be not be an issue for the person to quickly report his/her mistake as a potential incident rather than hiding it, even for a while.
Last but not least, managers are the ones who are the best positioned to identify vulnerabilities and risks emerging from the entity they are in charge of. They will be also the ones who will play a critical role in case of cyber incidents, to maintain the activity and cascade down resilience protocols.
As a conclusion : engaging managers on cybersecurity issues, turning them into cyber ambassadors in their entity is an amazing and under used way of accelerating having each employees becoming your best safeguards.