The second week of National Cyber Security Awareness Month (NCSAM) has begun, and this week’s efforts are focused on creating a culture of cybersecurity in the workplace. While much of what we do at the National Cyber Security Alliance (NCSA) is focused on consumers using the internet at home and on the go and how they can protect themselves and their families online, it’s equally important for organizations to teach their leadership and staff about their roles in protecting company, customer and employee data and intellectual property. Having a strong internal awareness program at your organization can help foster a culture of cybersecurity and empower employees to protect the information and devices they use in their jobs – and understand how to stay safer online when they’re away from the office, too.
I recently sat down with Lance Spitzner, director of SANS Security Awareness, to discuss the importance of strong security awareness at a company and how organizations can enhance their existing programs or implement successful new ones. Lance has more than 20 years of security experience in cyber threat research, awareness and training and has helped more than 350 organizations plan, maintain and measure their security awareness programs. Lance is also a member of the NCSA Board of Directors.
MICHAEL KAISER: You have been focused on internal cybersecurity awareness training for many years; how have you seen the landscape change over time?
LANCE SPITZNER: The biggest change (and the most exciting part) is how quickly the field of human security is maturing. Three years ago, organizations were just starting to focus on going beyond just compliance and changing behavior, and phishing programs were new and exciting. Now, both of these are the norm. People want to know what is next – how we can effectively go beyond just behavior and make security part of the culture. This is where we are seeing organizations really push the boundary with things like escape rooms (in which participants are put in a room and presented with puzzles to solve using common security best practices in order to “escape” within an hour time frame) gamification and especially ambassador programs.
MK: More and more companies are dedicating personnel and/or training resources to cybersecurity. What have been the strongest motivators for companies to ramp up their cybersecurity training?
LS: The motivation is simple: need. Organizations are repeatedly seeing people as the primary targets for bad guys; they have invested huge sums of money, time and resources over the past 20 years in technology but have spent nothing on people. Organizations are realizing their mistake and beginning to understand that cybersecurity is both a technical and human problem (and solution). As Bruce Schneier infamously said, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
You connect with hundreds of internal cybersecurity awareness professionals each year. Can you describe some key elements of successful awareness programs?
LS: People and communications. First, you need people to build and maintain the program. When I start working with an organization on its awareness program, I do not ask how big their awareness budget is; I ask how many full-time employees (FTEs) are dedicated to the awareness program. For many organizations, there is a problem if there isn’t at least one FTE; the most successful awareness programs have two or more people dedicated to them. The second element is soft skills: if your awareness program is run solely by geeks who have weak or no communication skills, it will fail. The best awareness programs I’ve seen are run by English teachers, graphic designers, marketing majors and – in one case – a Los Angeles actor.
MK: Internal awareness programs are not always implemented in the same way. What are some unique or creative ideas you’ve heard in terms of approaching cybersecurity awareness?
LS: Awareness programs are very different from technology. A firewall is a firewall – these solutions are almost identical in every organization. Awareness programs are really about your organization’s culture, so each one is different. A successful awareness program understands the company culture (e.g., whether it’s conservative or outgoing) and plays on that culture; it’s also fun, engaging and people focused.
MK: There are many companies that have yet to implement internal cybersecurity awareness programs; why should they make doing so a priority?
LS: Because if they don’t, they are going to feel a lot of pain quickly. People are not only your best defense (prevention), but they’re also your best resource at detecting and reporting attacks. For the past two years the Verizon Data Breach Investigations Report has found that people are more effective at detecting internal breaches than technology.
MK: How can companies that are just getting started with cybersecurity awareness set goals for what their programs should achieve?
LS: That’s easy – start simple. Put someone in charge, and give them the freedom to be creative and have fun. Highlighting just five core behaviors can go a long way to securing your organizations – start with the basics (e.g., social engineering, updating, passwords, antivirus and backups).
MK: Cybersecurity risks to employees and companies are constantly changing. How do awareness programs grow to meet the next challenges?
LS: The risks may be constantly changing, but to be honest the core behaviors you want to focus on haven’t. What made people secure 10 years ago is very similar to what makes them secure today – spotting scams, backing up devices, following strong password practices, etc. The details and examples change over time, but the core behaviors really don’t.
MK: What resources can you recommend for security awareness professionals, whether they’re just getting started in their programs or looking to strengthen their existing offerings?
LS: Read Made to Stick by Dan and Chip Heath – it’s becoming the bible for security awareness officers around the world on building awareness programs. Consider taking SANS MGT433, SANS’ two-day course on building awareness programs. There is also the OUCH! security awareness newsletter and a tremendous number of forums where people can learn from each other. Ultimately, I see the greatest weakness as a lack of soft skills. Develop those, and you will change human behavior.
Check out SANS Security Awareness for more resources and information on security awareness from Lance and his team. All October long, follow the #CyberAware hashtag on social media for the latest insights, tips and resources to use this NCSAM and to join the conversation. For tips on how you can be safer online and protect your personal information, visit staysafeonline.org – and follow us on Facebook and Twitter for year-round cybersecurity advice and news.