CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
8CIOReview | | DECEMBER - JANUARY IN MY OPINIONBy Alex Cummings, Information Security Awareness Program Manager, SouthState BankINFORMATION SECURITY AWARENESS PROGRAMS ­ SECURITY CONTROLS FOR THE MOST VULNERABLE ATTACK VECTORWith the plethora of technology-based controls that have been brought to bear upon the would-be threat of evil doers the world over, cyber attackers have had to refine their tactics to focus on that asset which remains unsecured, the employee. Just like any other system in our organization, "we the human" handle sensitive information, we communicate with other humans in our network, and we process requests and produce output. Unlike other corporate systems though, we can't be laden with a host of endpoint detection, data loss prevention, and SIEM clients (though sometimes we're still sluggish to boot-up in the morning). These truths require us to shift our information security focus away from cyber, and delve into the realm of communications, training, marketing, and corporate culture. It turns out that combating our cyber risk now requires a soft-skills solution, a fact that many organizations have come to recognize. According to the Verizon 2021 Data Breach Investigations Report, social engineering leads the pack in causes that lead to a breach, and 85 percent of breaches involved a human element. With that in mind, the first question that always gets asked is... "how?". You mean to tell me that if I want to bring our risk within appetite, I'm going to have to change hearts and minds? I agree, the idea of trying to shift a corporate culture feels daunting, like trying to move a mountain with a megaphone. There are a couple of key principles to keep in mind when tackling this particular bear, and that's what I'd like to talk about today. The technical side of managing human risk involves good access controls and passwords standards, and it isn't uncommon to find organizations whose primary use for awareness programs is simply to meet compliance requirements. This is a critical need to be sure, however there is great opportunity presented with a more mature program for lowering organizational risk. SANS has developed a model that greatly helps to quantify and track the maturity of your program (and thereby the impact that it's having). They have broken it down into 5 stages, with each stage comes a greater level of security. They are broken down into clearly defined objectives, how your organization goes about meeting these objectives will vary slightly, however there are some key components that are ubiquitous to successful programs. For starters, you will need someone who is dedicated to the role of running the awareness program, with a title to match that role. Awareness is not a part-time gig; it is a full-blown security control and requires full time attention to keep it running. Statistically speaking, programs that are shown to have significant impact on the security of their institutions will have at least two FTEs dedicated to the effort. Following that, the program is obviously going to need good support from stakeholders within the organization, whether it be from key executives, line of business leaders, or internal marketing and communications teams. At the end of the day, moving the corporate culture needle is a social effort, and having supportive Alex Cummings
< Page 7 | Page 9 >