By Roy Zur, CEO, ThriveDX Enterprise
Gartner, earlier this year, published a report stating that the future of cybersecurity lies with the very people helping businesses to operate and gain revenue, its employees. In fact, the report’s number one prediction is that by 2027 at least 50% of CISOs globally will formally adopt a human-centric approach. It’s no surprise as employees are the top risk to enterprise security, and Gartner’s research shows that more than 90% of employees admit to undertaking actions that they know increase their company’s cyber risk.
Security leaders have long grappled with an imbalance between technology and the human element when it comes to implementing an effective cybersecurity strategy. The key to changing this is looking beyond awareness to building a culture of security within the organization at every level, with a renewed focus on human factor security.
There are several steps to implementing this successfully, starting with the tips below.
Cultivate a culture of security from the top down.
A comprehensive program that combines technology and culture to change mindsets and skillsets is the key to addressing human factor security. This begins with training, education and “beyond awareness” mindset on all levels from the C-suite down to make sure that every team member knows what security policies and controls exist and what threats they are likely to come across. All employees should be receiving regular training, testing and further touch points to keep cybersecurity top of mind at all times. This focus on human factor security is the only way to build employee confidence in their cybersecurity skills, ultimately cutting down on human risk and cyber threats.
Go beyond security awareness to build learning processes that work.
By now, most enterprises have some type of security awareness program in place to at least satisfy compliance requirements. However, simply gathering employees every few months to review a list of security procedures is not enough. Organizations should strive to engage employees in active learning processes, helping them internalize and apply cybersecurity best practices in their day-to-day work. Training should be regular and unscheduled, and include education on cyber risks employees are likely to encounter in their daily work. The ultimate goal for every security professional is to get buy-in for security awareness and training from every employee, creating a culture where the entire team essentially forms a human firewall inside the organization, identifying threats and preventing attacks. Generic security awareness training does the exact opposite. It accomplishes nothing other than checking a compliance box and it can be potentially damaging to your security culture. Human-factor security goes beyond awareness and builds a strong security culture by involving employees and customizing security awareness training to their needs.
Implement tailored training for every role inside the organization.
One size simply does not fit all when it comes to security training. For example, non-technical employees on your marketing team are not going to have the same security aptitude, skills or educational needs as developers or engineers on the dev-ops team. They also receive different types of communications and are likely to encounter different types of cyber attacks. Training should be customized to suit every role in the organization, from non-technical employees to IT team members, engineers, DevOps, developers, and security professionals. By providing role-specific training, employees can develop the cybersecurity skills they need to protect themselves and the organization.
Don’t forget about secure code and application security training.
When creating a tailored security awareness training program, do not forget about the importance of secure code and AppSec training. It is simply essential for developers and engineers to ensure that the software and applications they create are resistant to potential cyber threats. Effective secure code training helps the developers in your organization understand cybercriminals’ intents, identify vulnerabilities in their code and protect the organization from future attacks.
Finally, create an executive workshop program along with continued training and education initiatives throughout the organization.
C-suite executives set the tone for the entire organization, so it’s crucial that they are well-versed in cybersecurity best practices. Executive workshops can help establish a security culture that begins at the top and trickles down to every level of the organization. In addition, a regular education program to create consistent, positive cyber hygiene habits across the organization is of the utmost importance. This, coupled with effective communication, reduces human risk and ultimately cuts down on cyber threats. By continually reinforcing good practices and keeping employees informed, they will be better equipped to protect themselves and the organization.
In light of Gartner’s report, embracing a human-centric approach to cybersecurity has never been more critical. By focusing on human factor security and fostering a security-driven culture from the top down, organizations can build employee confidence in their cybersecurity skills and create a more secure environment in the face of ever-evolving threats. Achieving this requires a combination of technology and cultural change, transforming both mindsets and skill sets to make a lasting impact.
About the Author
Roy Zur, a serial entrepreneur, is CEO of ThriveDX’s Enterprise Division the global education company committed to transforming lives through digital skills training and solutions. In August of 2021, ThriveDX acquired Cybint Solutions where he also served as CEO since founding the company in 2014. Roy is a 15-year veteran of the vaunted Unit 8200 of the Israeli Defense Force, where he served as a Major, which instilled in him early a passion for addressing the “human factor” of cybersecurity training – currently the #1 vulnerability across the threat landscape.
In addition to steering the vision of ThriveDX’s Enterprise Division, Roy serves as adjunct professor of risk management in cybersecurity at IDC Herzliya in Israel. He is also Founder and Chairman of the non-profit Israeli Institute for Policy and Legislation, and a member of the Forbes Business Council.