Cybersecurity Awareness: An Open Letter to CISOs

Dear CISOs, 

Cybersecurity Awareness Month has recently ended, and there’s a strong feeling of déjà vu.

People were once again branded as “the weakest link,” “assets” or other dehumanizing terms – we also came across dozens of articles in which vendors scaremongered with the latest cybercrime stats.

Even more interesting were the various ways in which articles tried to avoid blaming people… while still blaming people. Whether it’s ‘the end user,’ ‘human error,’ ‘the under-trained employee,’ or in more recent years, the ‘hybrid’ or ‘remote’ worker, they all say the same thing: people = problem.

On the other hand, but in the same vein, training bodies used the month to tout their “creative, funny and widely engaging” awareness videos that will apparently arm people with the skills they need to stay secure.

Do you really feel any more secure? 

It’s time to do the math. 

The Numbers Are Uncomfortable

Every October, the industry comes together to raise awareness of cybersecurity. Yet, every year attacks continue to surge. If this ‘awareness’ celebration is having an impact, where are the improvements?

It’s not like we’re working in an underfunded industry. The global cybersecurity market is projected to reach $155.83bn in 2022.

However, all the money in the world won’t make a difference. We need to address the root cause of the problem.

The Unspoken Truth of Our Industry

Cybersecurity awareness, in isolation, doesn’t work. It’s dead.

We need to put cybersecurity awareness to bed, or even better, in a grave. 

Everyone knows cybersecurity is a bigger issue than it’s ever been. 

Now is the time to take action. Now is the time to focus on long-term behavioral change. Now is the time to get specific, sympathetic and scientific. 

How do we do that?

Get Specific

Be specific about the security behaviors you want to influence and why. Focus on addressing those specific behaviors. Stay focused. It’ll help you determine whether you’re having any impact and being effective.

Stop being blinded by a focus on ‘engagement.’ Engagement without changes in security behavior is meaningless. Period!

The Security Behavior Database, or SebDB, is the world’s most comprehensive cybersecurity behavior database. It’s maintained by industry professionals and academics and maps over 70 security behaviors to risk-related outcomes. It helps you be specific about security behaviors.

Get Sympathetic

Stop with the ‘trick, train, and entertain’ mentality. Just. Stop.

People don’t want or need more training. Provide them with information that is relevant to them, at the right time, in the right way. Make better use of apps, mobile technology, and timely, relevant notifications and nudges.

Be careful with phishing simulations. Stop trying to catch people out. Recognize click rates and report rates are a very limited measure of anything useful. ‘Clicking’ and ‘reporting’ are just two of many security behaviors you should be trying to impact within your organization.

Get Scientific

Be clear about the scientific evidence behind the behaviors chosen and interventions applied. 

Awareness or ‘capability’ is only one of the ingredients needed for behavior change to take place.

Behavior change happens as a result of people’s Capability (their psychological and physical ability to participate in an activity), their Opportunity (external factors and resources that make a behavior possible or not) and their Motivation (the conscious and unconscious cognitive processes that direct and inspire behavior).

The approach comes from a behavior change model known as COM-B.

COM-B states that for a person to perform a behavior, they must feel (and be) able, their environment must let them, and they must want to carry out the behavior more than competing behaviors.

In essence, you need the right balance of one or more factors to change behavior.

Whilst we’re at it, let’s end the ‘trick, train and entertain’ metrics. Or at least recognize that compliance-only metrics don’t indicate risk reduction. Start measuring the impact you’re having on the specific security behaviors. Of course, this isn’t easy. That doesn’t mean it’s not the right thing to do.

When done right, security should be a by-product of our ability to understand and help people with their problems.

Let’s put this into action and put a stake in awareness.

Yours Faithfully,

Oz Alashe 

What’s Hot on Infosecurity Magazine?