A CISO’s greatest ally? The answer might surprise you…
If you’re a CISO – or in charge of security – then you could well be a lone voice calling for investment in your people and security culture change. Is anyone on your side? We think so, and there’s probably more of them than you think.
I used to go to parties or business networking events and when I’d say I worked in cybersecurity people’s eyes would glaze over and they’d quickly change the subject. Not so now: these days everyone wants to talk about it. Why? Because they have a story to tell about someone they know getting scammed, or a near miss with ransomware at work, or a phishing email they received and had the presence of mind not to answer. Not only that, cybercrime is in the news like never before. At last, the media has caught up with events in the real world and the headlines are bringing home to everyone the nature and scale of the threat.
Together, these things represent a cultural shift
Security is getting talked about more often and more widely and – realising that cybercrime has overtaken traditional forms of crime and that security is no longer just about locking the front door – ordinary citizens, who have hitherto had little apparent interest in cybersecurity, now have a bunch of questions about how they can best protect themselves and the people and things that matter to them at home and at work. They are hungry for knowledge (they know that it’s currently patchy), they want to work with other people to find solutions (because they currently feel isolated) and, yes, they’ve got anxious about their responsibility to protect the business, and scared of the impact of cybercrime on their livelihoods and their families.
And that brings us to the CISO’s greatest ally, and it’s actually a group of people: a drum roll please… It’s the ‘average employee’, those ordinary citizens are the much-maligned end users who many security chiefs once saw as the bane of their life. These people are ready to learn and, what’s more, to take action to become more secure. They know they need the training you want to provide, they’re ready to receive security communications and messages, ready to take up the mantle of ‘frontline defender’ of your organisation.
At Layer 8 we work with businesses to help develop networks of security advocates or champions, and we often sense the scepticism of CISOs, IT heads and managers when we tell them that their allies – these advocates or champions – already exist. But that scepticism is dispelled when people readily put their hands up to volunteer for the role and come to our initial training workshops demonstrating their pre-existing knowledge about security, sharing good practice they’ve already established and their eagerness to get started in their new role. As a result of all this, they leave the workshop and make change happen – and fast.
Still don’t believe it? Put out a survey or a questionnaire to garner end users opinions and attitudes, or better still… talk to them: go out and start the security conversation that will change the culture of your organisation!