What Every CISO Wants for Christmas
Gene Fredriksen
As I remember past holiday seasons, I remember our children asking their mother what she wanted for Christmas. She always answered, “Good Children and a Clean House!” without missing a beat. Don’t get me wrong, we weren’t raising four delinquents in a barn; instead, it was a general wish for things to stay good through the coming year.
Looking back on my CISO years, I wanted something similar from work. I wanted the system users to follow policy and pay attention to basic security practices. I also wanted my “house” to be clean from malware, destructive code, and system vulnerabilities.
Let’s discuss the user end. Just as with our four kids, we really wanted good behavior to become second nature, so we didn’t have to constantly remind them to pick up their toys and clothes. In the workplace, we want our users to keep a clean desk, change their passwords, avoid clicking on suspicious emails, and several other risks they control.
Today, most of us rely on traditional security awareness strategies, mainly on awareness training information materials, e-learning videos, and phishing simulations. This method increases knowledge (what) and people’s capability (how). However, like facts don’t change our minds, knowledge doesn’t guarantee behavior change, although many security professionals think it does. That’s because a critical aspect of behavior change is MOTIVATION (why) – what people want and why they do it. You can require your employees to go through rounds of training and tests, but if they don’t care enough to apply it, it’s money and time wasted.
However, knowing what to do and when to do it does not guarantee a behavior change. Employees need to see the value in recognizing and reporting phishing, such as better security. The company can communicate this value proposition and the risks of clicking on a malware-loaded email, but what is the personal motivator to avoid phishing emails?
Most credit unions have some ongoing phishing education, using test messages sent to the organization. If you click on it, you get a FAIL message. You typically use this information to identify users who may need additional training. On the other hand, if you identify the email, you get an atta-boy message, and typically, that is the end of the process. Missing here is the positive motivation for the employee.
Try creating a process where employees can earn rewards for finding and reporting phishing emails. There are many simple ways of providing positive reinforcement. Award “points” that can be redeemed for coffee gift cards, company-branded merchandise, lunch with the boss, etc. Publicize the winners in a company email. Give a yearly trophy for the best ”phisher person.” As you can see, many ways to provide positive feedback don’t take much time or money.
When an organization has a strong cyber security culture, its employees are more aware of the importance of cyber security in the workplace and are more likely to act securely. A large part of a CISO’s job is creating and maintaining a positive security culture. The best programs are ones that are complimentary to the culture that is already deeply ingrained in an organization’s overall culture, such as member service. It’s most effective to align the security culture with the existing culture rather than trying to change it or lay another new culture on top of it.
The Pure IT staff has deep experience in working with credit unions to enhance their security strategies and culture. Contact PureIT to discuss this or any other security questions you may have.
