Cyber Security Awareness Programmes: Are They Really Working? And What to Do About it?
When some people say they don’t know what to do around cyber, you may want to ask them where they have been for the last 10 years…
For a number of years, I have been puzzled by the high idea some cyber security professionals seem to have that their job is about convincing other people: Convincing users that they need to do certain things to protect themselves and their data; Convincing the Board that they need to invest more to protect the business, etc…
There is also the prevailing sentiment across cyber security communities that those are rational arguments, to be won through facts and figures.
Somehow, there seems to be the sense that employees don’t know what to do around cyber and that the Board does not understand. They need to be educated or trained about it; it needs to be explained to them and cyber security needs to be brought to their level – up or down.
All too often, the argument is framed in technical terms, irrespective of the target audience and the business environment and culture in which they operate.
This approach is flawed at two levels in my opinion.
First of all, I think the argument by which employees and executives need to be educated around cyber is losing ground and credibility. The last decade has seen a non-stop avalanche of cyber-attacks at all sorts of levels – personal as well as corporate. Most of enterprise communities would have been exposed by now to some of those incidents and would have built up an amount of knowledge around what they mean and how to deal with them.
Large organisations – and public agencies – have had cyber security practices and have been running security awareness campaigns in some form or another for the best part of the last two decades.
Frankly, when some people say they don’t know what to do around cyber, you may want to ask them where they have been for the last 10 years…
Fundamentally, we have to question why the messages the cyber security professionals have been trying to push collectively over the years don’t seem to leave an imprint.
My view is that, beyond the technical aspects I mentioned above, we have also been framing the messages in a way which is too functional and too rational, while we are dealing in fact with a situation which is mostly cultural.
We have to assume – and this is my second point – that we may be dealing with cognitive biases and an emotional attachment to the firm and its values that require a different approach.
The key here is to find ways of embedding cyber security – and business protection at large – in the cultural fabric of an organisation. This is not something cyber professionals can engineer by themselves and push bottom-up or sideways: To a large extent, it needs to be seen as coming from the top.
Fundamentally, it is a natural human instinct to protect what you care about: Your home, your children … And employees, like executives, cannot say anymore that they don’t know what cyber risk is about, because of the avalanche of cases we have seen over the last decades.
For them to react to it, cyber security needs to be framed in their culture and by their peers, and more importantly, in the real context of their jobs; it cannot come from an outsider like the CISO – or to a lesser extent the CIO.
To put it negatively and forcing the trait, you can spend as much money as you like around cyber security awareness if people see managers and senior execs constantly flaunting the rules – and being allowed to do it.
If the corporate culture is toxic and employees are not happy in their jobs and in their relationship with the firm and its management, do not expect cyber security and the protection of the firm’s data assets to be on anybody’s radar; trying to engineer positive dynamics around cyber security will be costly and will probably not lead very far.
Broadly speaking and looking at it from a long-term perspective, we have to consider that those types of awareness programmes, driven bottom-up or sideways by CISOs and CIOs, have not worked well enough over the years, beyond putting – at great cost – a proverbial tick in compliance boxes; they have been tried and tested in all sorts of formats over the past two decades, and we wouldn’t be here writing about this if they were working as they pretend to be.
So things need to change and the first step is to stop repeating the mistakes of the past.
Senior execs must take the lead around security awareness and drive it top-down consistently towards their people, in their own language and in their own ways, at the level they believe to be pertinent for the firm.
If they don’t see the need or remain in denial about it, I think we have passed the point where we should expect cyber security professionals to “convince” them.
In the face of non-stop cyber-attacks, we have now entered the realm of corporate governance, and I think the Board should simply mandate it. And I would see it as a duty for independent directors to ensure it gets done.
If skills remain a problem at that level, then appointing a cyber security specialist at Board level should be considered, but that’s now the only way – in my view – for this to start moving forward.