Time and again, whenever a company is breached, people say: “They were phished. Did they do awareness training? They did? Well, somebody still clicked, so that obviously failed.” Then they continue: “Oh well, humans are awful; awareness training is worthless; we need to double down on technology.”
What is entirely missed in this conversation is the number of technology layers that had to be permeated for that email to reach a human in the first place. And even after the click occurred, how many layers of technology had to fail to allow the threat to take root? Would they say the same about scrapping the firewall that was breached? About the endpoint detection that also failed? The secure email gateway? No.
So how do we change this conversation from giving up on humans, in this all-or-nothing cycle of security-awareness training, to recognizing that humans are one layer in the security stack — a critical layer — that has been underinvested in for decades?
Here’s the answer: Leverage the human layer as a crucial cog in building resilience within the organization. Prudent security leaders will seek to build this layer up to its full potential, to analyze and monitor it, to fortify it, and above all, to learn from its failings — just as we would any other technical layer of the security stack.
Security Awareness vs. Security Culture
There is a problem with the conversation surrounding security awareness training and security culture. The two ideas are often conflated. The concepts are related, yes, but they are not the same. Many people define security culture as simply being “aware” of threats and how to respond to them.
Yes, awareness is a critical aspect of building a strong security culture, but it is just one piece of the puzzle. It is important to realize that being aware is not the same as caring. Knowing about security doesn’t guarantee anything other than head knowledge… and even that assumes they’ll remember the information they learn and interpret that information in the right context.
Think about it from their perspective. Why should non-security professionals care about security in their company? Why should they take on that additional responsibility, when they already have a full plate?
This is where security culture comes into play. The conversation needs to shift from simple awareness to the scope of an organization’s culture. I define culture as the fundamental underpinning of an entire organization relating to the ideas, beliefs, behaviors, and knowledge that people engage in. In other words, how people act and how they support the systems that operate within the business. If an organization’s security culture is strong, it includes shared responsibility. In turn, this helps to nurture a community.
How to Create a Strong Security Culture
Take an organization that gamifies its security training and simulation programs; an organization that turns dry, old awareness training into healthy competition, allowing employees to socialize over it. Employees can compete to be the best phish-catcher of them all. Or, better yet, how about an organization that takes phish reporting to the next level: An employee reports a suspected phish, the security team confirms it is a real threat, and either removes that threat from any other mailboxes or uses tools that replace that real phish with a sanitized, training version of the email. The employee who reported the threat has protected the organization and helped inoculate other employees against a confirmed threat.
This is no longer a game — employees see the impact one employee can have in protecting the organization. Employees share their successes with their co-workers and their managers. They feel proud. It becomes a game, and it becomes fun. Now, the people are more than aware. They care.
With security culture, you want to influence and build certain behavior patterns and belief systems across the wider organization. You want to build resiliency against cyber threats. The natural outcome of building a strong security culture is that the organization has an additional layer in its security stack. And a very important one at that.
But building a human defense layer is not a one-and-done thing. Like any other layer — endpoint detection, firewalls, email gateways, and more — your human layer must be able to evolve and keep up with the ever-changing cyber-threat landscape. There will be failures and there will be vulnerabilities. That does not mean you should ever give up on it.
Evolve the Complete Security Stack — Including the Human Element
When there is a problem with a firewall, you invest and put energy into rebuilding it, learning what went wrong, and preventing it from happening again. The human side of security must evolve with the times just as much as the technology side.
So, there is the answer.
If there is a problem with your human layer in the security stack, where employees in your organization consistently click on bad links — do not get mad, and do not chastise. Learn from the failures and fortify yourself against them. Do not just provide security awareness training; foster a culture of security.
How? Reward good behavior and (where possible) refrain from punishing. Drive engagement up with a vast range of training content. Encourage healthy competition. Make it fun. Make them care, and there you will have it. A strong security culture is a human layer amid the hundreds of other technological ones, all of which are also flawed or capable of being flawed, but none of which will ever be useless.