All too often in cybersecurity the story that is often told focuses mainly about how people are the weakest link.
But there is far more to the story than that. The full story is that your team, if properly educated, empowered and engaged, is the single most effective means at spotting and thwarting the most common and dangerous cyber attacks.
Effective Security Programs
According to the SANS 2017 Security Awareness Report, employee engagement is the second largest challenge faced by security professionals.
The modern cybersecurity professional requires more than just technical skills and savvy, they have to also be effective communicators and marketers. Truly effective and engaging security programs include education and empowerment activities that include a variety of marketing and communications activities. From computer-based training and phishing simulations to engaging presentations tailored to different audiences (executives, sales, IT, front-line staff) and more.
To do that with limited resources, while also doing a variety of other tactical and strategic cybersecurity activities from risk evaluations to regular incident response planning and testing and more, requires teams to work smarter, not just harder.
And to do that, they need effective ways to measure progress and adjust efforts to focus on areas where they can get maximum security return for time and resources invested. They need effective metrics for employee engagement with cybersecurity.
Employee engagement looks like employees who care about the company, are energized by their work and want to help make it a success. It’s now the job of security professionals to empower engaged employees with the knowledge and resources they need to be active defenders for the organization.
As a management team or security professional, building that level of commitment to the security program can grow your security team to your entire organization. Research from the Gallup Organization shows that in order for teams to feel engaged, they need to understand why it’s important and relevant to their position.
Ingraining security into the corporate culture doesn’t happen over night, but there are a few steps you can do to start the conversation.
Set the context of the security world.
Most organizational team members outside of the IT department have no idea just how large a threat cybersecurity can be to the organization and to their personal lives.
Many struggle to connect the dots between the daily deluge of cybersecurity headlines about breaches and attacks with their lives and what they do at work. A good security program will help them understand the connection between cybercrime and their personal and work lives.
Educate users on the difference they make.
The users of your IT systems are the best line of defense for organizations, stress to them how critical their role is. For example, users reporting suspicious e-mails can often alert organizations faster and more effectively then their automated systems to a well-crafted cyber attack using e-mail targeting specific individuals or groups.
When users understand their responsibilities connected to the success of the organization, their behaviour starts changing.
Give your team a personal metric.
One of the reasons we’ve developed an innovative approach to a personal cyber risk score for all organizational team members is that it provides a clear, easy to understand metric that people can influence.
Our cyber risk score rewards good security behaviour such as taking and doing well on training, reporting simulated or real phishing attacks along with clear consequences for poor security practices such as real incidents that affect the organization.
Communicate the good, the bad, and the ugly.
Cybersecurity should be involved in almost every conversation your having with folks. Highlight the ways that taking proper cybersecurity process can help your employees out, i.e. reduce the likelihood of downtime and increase productivity. Talk on a strategic level that building cybersecurity into the organization will give you a competitive advantage in your industry and connect cybersecurity back to key organizational strategic objectives.
Questions to consider:
When reviewing the state of your organizational cybersecurity efforts and in particular when reviewing how you’re doing with awareness and engagement, ask the following questions and ask how you can measure each:
Do our employees care about security?
Do our employees believe this issue affects our organization? Do they believe this is important to the organization’s leadership?
How much do they know about cybersecurity already? What are their strong points and where are opportunities to improve?
How can we get managers, directors and senior leaders engaged in cybersecurity conversations? What metrics can we use to help them manage this issue?
If you’re unsure of how to tackle these or would like an easier way to do so, let us know and we’d be happy to show you how our platform can help.