I sometimes think that being a CISO is like being a very keen gardener. There is no ultimate endpoint or destination, just an endless journey of maintenance in an unpredictable environment. And there is no place for complacency; take your eye off the ball – or the garden – and your security posture could descend into a weed-ridden, unruly mess.
Of the many areas of cyber security that require the care and attention of keen green fingers – such as evolving threats, new tools and software – the one that requires most are the staff. Employees are central to the overall security posture of a company. Over 90% of breaches start with a spear phishing email sent to an unsuspecting employee. The CISOs’ job, among others, is to train – as one would a vine – staff to move forward in a safe direction by educating and empowering them to think and act securely in everything they do.
It’s not as easy as it sounds. This requires the CISO to drive behavioural change across a diverse and varied group of people without alienating or patronising. Quite frankly, this isn’t a skillset that the typical CISO will automatically have. For those like me, who rose to this position from the technical side of cyber security, learning how to manage and inspire people is an ongoing process.
That said, it is one of the aspects of my job that I greatly enjoy. Over the years I have developed my own strategies for success. A ‘quick win’ is ensuring all new starters have a friendly induction to inform them of risks and how to stay secure. I also try to remain visible around the office; I want people to see me as approachable and feel able to report anything unusual without risk of censure.
Regular training is also important, but can present a challenge when people are busy or working from home, as many of us are during this current crisis. Our solution has been to create a sense of autonomy, empowering people to take responsibility for their own security ‘upskilling’ – in a time that suits them – rather than insisting on face-to-face sessions. To achieve this, we invested in Beauceron, a training platform that has been rolled out to all staff.
I first came across Beauceron in my capacity as a mentor at CyLon, a cyber security start-up accelerator programme that Nominet sponsored. The Beauceron platform gives each member of staff a risk score. This can be reduced by completing quizzes and training modules, or spotting and reporting both real and simulated phishing emails. People log in at their leisure to take short courses – each taking an average of 15-30 minutes – and Beauceron crunches the data for us so we know how staff are using the platform and how thoughts and behaviours might be changing as a result.
It works well for our company because our staff are (I have learnt) driven by healthy competition, determined to make their risk score lower than their peers. This is something I noticed when I introduced a security contest in the office, with each team winning or losing points depending on their basic security practices (e.g. locking their computers when they are away from their desks). The battle for the prize was fierce and even Beauceron has noted that Nominet is by far the most competitive company they have on their platform! This is useful information for the CISO. Like the gardener knows which plants want sunlight and which need moisture, the CISO gets to know what drives their staff to behave in certain ways and uses the incentives that will prove most effective. In this case, the ends certainly justify the means.
Beyond the walls of our offices, it is also useful to understand why people as a whole act in the way they do across society if we want to make cyber security a more integral part of daily life. In Nominet’s Digital Futures Report, we found that over-confidence is something of a stumbling block for the average UK adult. The research showed that over 75% claim they know enough to stay safe online, yet only 29% know what two-factor authentication (2FA) is, and 24% don’t change their account passwords even when their online bank or utility provider has been breached. Confidence is a good thing, but only if backed up by good behaviours – and both 2FA and password management are two of the most important.
The key question is why people don’t do more to protect themselves, even when aware of the risks? The Beauceron report, which reviews insight gathered from the worldwide users of their platform, had some insight into this. Of all the fake phishing emails it had sent to users, the most successful one – likely to fool someone into clicking on it – was one that offered a compelling job opportunity. Clearly, emotions play a part in how we act online; a tricky area for the CISO to tackle.
That said, it helps to have an awareness of what drives people so that we, as CISOs, can devise approaches that work with and not against the nature of our staff. Repetition and reinforcement, or purposeful practice, are critical when trying to master new skills and create new habits. Throw in the right incentives – as simple as a free lunch for the most secure team – and you can bring about the behaviours that your business needs to stay secure.
I am of course still learning, as I imagine many CISOs out there are too. Driving online behaviour change is a new area for many of us but I think it is one we will master. Indeed, the importance of equipping people with safe online behaviours has been thrown into sharper relief now that we are using the internet even more than we may have done pre-coronavirus. It helps me to keep thinking of my staff as I would my plants. Be kind, attentive and vigilant, help them thrive by providing what they need when they need it, even if you must do so remotely. Then you will all reap the rewards – be it a garden full of blooms or a thriving business that is safe and secure.