A roundtable discussion forum of leading CISOs within the Wisegate community of senior IT professionals recently shared their own methods and insights into one of security’s most intractable problems: ensuring a company’s own staff understand security and operate accordingly. A strong theme to emerge from this discussion is the need for security to avoid operating as a silo within the company, but rather to integrate and work with other parts of the organization. This shows itself in two specific areas of advice – use the expertise of other company departments to help with the message, and break down any barriers between the user and security.
While it is recognized that the legal department must get involved in areas of compliance, CISOs should turn to the marketing and training departments and use their expertise in both developing an awareness program, and then selling it to the user. “We didn’t do that in the beginning,” says one CISO, “and a lot of what we thought that people were going to want was rejected... But working more with the people who have experience with actually training people and presenting things was, I think, a really smart move.”
But users are often ‘afraid’ of security people. “No matter how many times we try to demonstrate that it shouldn’t be scary for users to come and tell security ‘hey, we’ve got a problem here’ or to say that some control we have mandated isn’t working for them,” said another CISO, “people still seem to be hesitant to bring things up. Maybe they think we are just going to say no, or they’re going to get in trouble.”
The advice here is to develop a network of security champions or liaison officers within the different company offices. By belonging to users rather than security, these liaison officers are far more approachable than formal security staff. They can help relate security goals with the users’ business constraints; and help the security team find acceptable solutions.
However, while it is noticeable that CISOs recognize the need to fully use all expertise within their own companies, there is clear tendency not to engage with external awareness providers. In a separate survey across its wider community of security officers, Wisegate found that less than 1% of companies use only third-party training companies. A full 50% develop their awareness regime fully in-house, while 42% use a combination of third-party and in-house training. (Amazingly, as many as 7% do no awareness training at all.) The message for training companies is simple – just as CISOs need to be able to work with other elements within their companies to provide a tailored awareness campaign, so must training providers be willing to customize their offerings to suit individual companies.
“What emerged from the panel of security experts was an agreement that there is no one-size-fits-all answer to awareness training,” said Tom Newton, CISO of Carillion Clinic. "CISOs need imagination and perseverance to get their message across, and often innovative methods of training from third-party vendors can be quite helpful. We must instill in each employee they are ultimately responsible for information security.”