Opinion: Solving data breaches is as much about engaging employees as it is about deploying a technical solution according to Lance Spitzner, Director, Securing the Human, SANS Institute.
Humans are by far the largest cause of data breaches; there is a wealth of research supporting this including the recent 2016 Verizon DBIR findings, so securing them has to be the priority of any organisation serious about protecting its sensitive data. But of course, securing the human is no easy fete. In this article, Lance Spitzner, Director of Securing The Human at SANS, investigates the challenges for security awareness teams and shares his recommendations on how to successfully deploy a security awareness programme to secure the human.
By and large, it is the security awareness team that is tasked with engaging employees for the purpose of changing their behaviours and culture around security. Unfortunately, the make-up of this team itself is the first challenge to its potential success. According to the 2016 Security Awareness Report from the SANS Institute, in over 80% of cases, security awareness personnel had a technical background. While the ability to debug network traffic, build websites, and secure servers are all incredibly valuable skills, they are not easily transferable to explaining security to non-IT focused employees.
The other challenge to the security awareness team is a lack of support in terms of budget, resource and executive sponsorship. Over 50% of the awareness personnel surveyed in the SANS report had a budget of $5,000 or less or didn’t know what their budget was. Meanwhile, not even 15% of security awareness personnel were dedicated to that position on a full-time basis. And finally, while it was encouraging that 65% of respondents said they had ample executive support, that leaves 35% of these professionals without the executive support they need.
Interestingly, the report also showed a direct correlation between the amount of executive support and how mature the security awareness programme was. The awareness is measured using the Security Awareness Maturity Model established in 2011 which is comprised of 5 stages: nonexistent, compliance-focused, promoting awareness and behaviour change, long-term sustainment and cultural change and finally, metrics framework. Upon analysis, we found that nonexistent maturity programs had the highest concentration of no executive support while the two most mature levels (culture change and metrics framework) had zero instances of no support.
So it seems that currently, it’s the wrong people in the job and those people have little or no resources. With these challenges and supporting statistics in mind, it’s clear that we need to do a better job of educating leadership that security cannot be solved by technology alone and that it should instead be built into the psyche of an organisation. Of my recommendations on how to do this, the first is to ensure that security is not an afterthought.
All too often, security awareness is merely a ‘checkbox’ exercise; a nod to the regulatory or compliance department. When this happens, someone, with or without the necessary skills, is assigned responsibility for the issue and, as the data above suggests, mainly left to their own devices with limited or no success. To avoid this, leadership need to understand, through hard metrics, that cybersecurity is not just a technical problem but a human problem and experience the positive cultural changes that security awareness teams can bring. Once this happens, security awareness becomes much more strategic and successful.
Of the soft skills lacking within security awareness teams, we’ve identified communications as the most important soft skill. The ability to engage employees with a meaningful message, identify and deliver the right content to the right people, leveraging multiple communication methods, and building a roadmap that pulls this all together is paramount to a successful security awareness programme.
To that end, our second recommendation is around getting communications skills into your security awareness team. There are three main to do this – embed someone from your communications department into your awareness team, providing communications training to the existing awareness personnel, or simply hire or contract someone with the soft skills you need.
Our third recommendation is around engaging with employees about security awareness at an emotional level. This, of course, is very much related to the communications recommendation above, as technical security professionals often struggle with ‘the curse of knowledge’ – the idea that the more of an expert you are about something, the harder it becomes for you to explain it to someone else. Passwords are a great example of this. When people fail to use complex passwords at the behest of security teams, those team think it is because they are not motivated but it’s more likely that they find complex passwords confusing and difficult.
So, instead of explaining again why it is important to use a complex password, focusing on how to make passwords easier, such as explaining passphrases, how to use password managers, or what two-factor authentication is, would probably result in far more success.