July 3, 2023

The SAT elephant in the room: Part 2

By Kai Roer · 3 minute read

Finding value in security awareness training (SAT) can be a struggle for CISOs. In our previous blog post, I discussed how important it is for CISOs to be more aware of their role in successfully getting the most out of their security awareness training program. It is down to you as the CISO to understand the needs of your organization, and follow up with relevant interventions. In the second part of this series, I discuss another crucial element to being successful when trying to address the human element.

The employees business is your business

Is it fair to say that cybersecurity departments are not well integrated into the rest of the organization that they are protecting? I recall having this very question discussed at conferences, over dinners and beers with CISOs and security professionals around the world. Often, I have found that there is a perceived lack of integration of the security function. But without proof, it has been difficult to know for sure. This fact has been highlighted by recent research, which reports that many CISO functions seem to be siloed off from the rest of the organization (Hielscher et al., 2023). Researchers list various potential reasons for this, ranging from traditional organization structure, where the CISO often is a part of IT, to a lack of cross-functional communication in the organization. There is also the possibility of the CISO not being able to understand that their actual function is to protect the business of their employer, so that there may be business to be had tomorrow too.

Regardless of your specific struggle as a CISO you should always seek to understand the business of your organization. If you are to protect your business, you need to understand what your business is. Only then will you be able to adjust your security controls, risk management approach and your communication to align with that of your colleagues, peers and stakeholders. To get a better understanding of the business, I find it very helpful to learn how to speak business language. Many functions and areas of expertise, including cybersecurity, have their own terminology and perspectives. The same applies to other functions, like sales, finance, production, and leadership. The best CISOs I know are able to repurpose the curiosity that drove them into security in the first place, to learn about other functions, perspectives and terminology. Then, they apply that new knowledge to drive their message across, wrapping security priorities into the terminology and perspectives of their colleagues, instead of trying to force everybody to speak security-language.

Only when you communicate in a way that resonates with your audience, will your message be heard. This is true regardless of where the CISO function is located in your organization today, and regardless of your organization's current maturity. Your main responsibility as a CISO is to communicate risk in such a way that the decision makers and the employees understand, and can relate to said risk. Only then will you be able to create support and budget for your security programs. But this is a two-way street - if you want them to improve their understanding of security, you best be prepared to learn about their day-to-day job too.

If your idea of building a more secure organization is like this one CISO:

“I just want to prevent everyone from clicking on everything.”

You are not going to succeed. Not because human behaviors cannot be (easily) changed. But because you do not understand what many people's jobs are. If the employee is a sales person, their job is to send, receive and open documents and links all day long. If the employee is in procurement, their job is to send, open and work with links and documents all day long. If the employee is in legal, accounting, billing, support, IT, even security, their job is often to create, send, receive, open and evaluate links and documents all day long. It is the employees job to click on most things. That is what they get paid to do. For most modern organizations, it is a part of their core business to open and work with links and documents.

What now, then? If we are not to stop people from opening attachments and clicking on links, should we also stop educating them? Of course not. Helping your colleagues to understand the huge problem phishing and social engineering is, will help them realize that they may have to change some of their behaviors. Fire-drills are not intended to prevent fires, but to make sure everyone knows what to do in the event of a fire. That kind of thinking should also be applied to cybersecurity. It is not only about preventing that incident that is inevitable, instead it must be about preparing your organization to handle the incident, and recovering as fast as possible. Ask yourself what would happen if your phishing assessments were run as fire-drills? How would that impact the resilience of your organization?

The focus for the CISO should be to understand the risk and threat landscape of the organization, communicate this as clearly as possible to all stakeholders, and work with the whole organization to manage that risk by implementing relevant, realistic controls and metrics. You need to build a resilient organization, one that is capable of dealing with different incidents and surviving to live another day.

At Praxis Security Labs we understand the importance of your business. We provide you with the support you need to map stakeholders and identify different target groups. We leverage your existing data and resources to help you communicate security to employees, management, C-suites and the board of directors, helping you build alliances and support across silos, roles and functions.