Security is everyone’s responsibility. Whether it is viewed as a burden, an obstruction to business goals or part of doing a good job, achieving effective security requires each and every individual to participate. However, in the cyberworld, people do not perceive threats in the same manner as they do in the physical one. There is no need to inform someone of the danger of going down a dark alley at night or walking through a field infested with rattlesnakes. These threats are immediate and real in a way that is obvious to the observer, resulting in a sense of heightened alertness. But since an individual is unlikely to be physically harmed by a cyberthreat, they are less concerned for their safety when encountering one—until something happens that negatively impacts them or their organization. To improve security vigilance, cybersecurity training must equip employees with the understanding that cyberattacks can impact their jobs and the organization’s ability to conduct business. The individual must know and understand cybersecurity requirements, but just as important is that they have the ability to recognize threats and react accordingly. This does not mean that everyone needs to be a security expert, but rather that each individual in the context of their job must understand threats and how to mitigate them.
To achieve this objective, an organization’s security training program must be layered, meaning that the amount of technical information exchanged is directly proportional to the role the individual plays in the organization. Often within security training, one undergoes general security orientation and more specific security training that applies to one’s own role. All employees go through the orientation when they are onboarded at the organization and it is then repeated on an annual basis as a refresher. But role-specific training is ongoing; it must be responsive to the ever-changing threat profile of the job being performed.
In the past, as the security manager at a US federal agency, I brought in magicians to change how the cybersecurity message was presented. I have also showed clips from popular movies to demonstrate various threats and cybersecurity requirements demonstrating mitigation or exploitation. This works well for security orientation, but not so much with role-specific training. One of the biggest oversights in role-specific security training is the reliance on teaching the individual compliance processes vs. teaching the individual how to integrate security into business processes.
This is especially true for users who are developers and administrators. For example, consider software code checkers. One would think that only a fool uses a tool that they do not understand, yet I see this often. Instead of teaching software developers the proper way to implement software, compliance teams run a software code checker at the end of the development process. This is done without the context of software or security architecture and many times without the most important tool: data architecture. If the only attempts to secure the software process are at the end of its life cycle, that is not achieving compliance; it is attempting to enforce security after the fact. Security processes conducted prior to going operational should result in an identified level of risk. The number of threats that have been corrected by developers during development reflects an effective security program. This reduces security activities at the end of the development cycle to validate compliance. However, this is not to say that a compliance professional should not be grouped with the engineers; rather, the compliance professional should serve as an engineer who is fluent in business processes, software development and cybersecurity.
Employees who are functional users (e.g., lawyers, accountants, clerks) also have many security concerns that need to be addressed. The most important thing I tell users is that “No one outside your family loves you on the Internet. If they say they do, it probably is not love for you, but love of being able to install hostile code or take over your account.” Users must understand who they are dealing with on the Internet, and how to identify them and ensure that they are not being redirected. To achieve this, instruction should be provided on how and why domain names are important. Domain names are the key to understanding with whom one is working on the Internet. In an email, the “From” field can be set to anything one wants it to be. When I send an email, I can put any individual from any domain in the “From” field. It is critical to read the “From” field to determine whether someone has inserted a deviation of the real domain name. In addition, when one replies to an email, one should inspect the email address that is populated in the “To” field. The same applies when browsing the Internet. All Internet browsers have an address field where users type the uniform resource locator (URL) of the website they wish to visit. It is also where scripts and programs enter destination URLs. Observing the address field to verify that the URL entered is valid for the intended destination website is critical to ensuring effective user security.
It is difficult to regulate security. However, it is easy to regulate compliance. So, by empowering individuals who know their jobs and the subtleties of their vulnerabilities with proper cybersecurity knowledge, one can exceed anything an external security business process can achieve.
Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP
Is an independent consultant working in the science and technology and advanced concepts domains. He provides secure innovation in an ever-changing technological topology, including medical and communications innovation to innovation of advanced military applications requiring a wide range of compliance and security engineering solutions.