A strong cybersecurity strategy means using every asset, including the workforce

By James Hadley, CEO of Immersive Labs.

  • 2 years ago Posted in

For decades, cybersecurity has been treated as an IT issue, with responsibility falling exclusively to the IT department. Part of their role has traditionally been to convince the rest of the business of the severity of the situation and translate these threats to the board. The main issue faced by these professionals is that it’s hard to fully portray the risks and repercussions of a cyber breach without actually experiencing one – by which point, it’s too late.

However, with the volume and severity of breaches increasing steadily in recent years, it’s unsurprising that businesses are now recognising the risk and responding accordingly. In fact, global security spending is predicted to reach $1.75 trillion by 2025. To many, this might seem like a positive step – but we need to consider where that money is going. Simply throwing money at the problem is a tactic frequently adopted by organisations, yet it’s proven to be ineffective and can end up making the problem worse. By deploying hundreds of disparate security products to tackle individual weaknesses, the business can become overwhelmed, and teams will miss the bigger picture.

Every company has another powerful asset that is often overlooked: their workforce. Each employee has varying skill, knowledge and judgement when it comes to company security, and when leveraged effectively, businesses can greatly strengthen their security position without having to splash the cash on every shiny new security product. And with global cybercrime costs expected to grow to $10.5 trillion a year by 2025, organisations need to be changing their tactics now. It’s time to broaden the focus beyond just the IT team and optimise the entire workforce.

Static vs dynamic

Traditional security solutions are designed to tackle specific weaknesses in the infrastructure, but this creates a very static approach to an overall security strategy. Given the fluctuating and dynamic nature of the cybersecurity landscape, businesses need a security plan that can keep up with the changing needs and evolving threats.

This applies to the workforce as well. Security awareness training usually takes a fixed approach where one cyber threat is tackled at a time. And rather than educating workers on how to best defend the company from threats, this training encourages them to simply recall facts from multiple choice questions that will be quickly forgotten after the course finishes. It bears no relevance to the role these workers will play in the midst of a crisis and treats them like vulnerabilities – not defensive assets.

Each member of the workforce has value to add. So instead of these outdated and ineffective methods, organisations need to focus on three simple factors to develop the cyber capabilities of their entire workforce: exercising, evidencing, and equipping. In other words: continually benchmark the knowledge, skills, and judgement of the workforce; demonstrate risk levels across all business functions by using data gathered from simulations; and use regular cyber exercises to plug any skill gaps. These criteria are critical for breaking away from a static security plan and a dynamic one.

Crucially, rather than tackling each security issue individually, organisations must adopt a business-wide approach that optimises and supports employees across all departments so that everyone is crisis ready.

How to effectively skill up the workforce

At the heart of this strategy are the three factors we addressed earlier: exercising, evidencing, and equipping.

First of all, employee exercises cannot be annual, one-off sessions: they must be easily repeatable, and they must be measurable. They must also be tailored to the actual risks the organisation faces and the roles the participants will play in a crisis. A telecoms giant will face very different cyber risks to a healthcare provider – but both must ensure their workforces are ready for when the worst happens. Similarly, a member of the comms team will play a very different role to a member of the security team, but both will be called in in the event of a serious breach. An effective method is to use realistic simulations based on real threats and operate across departments to ensure seamless coverage across the entire enterprise.

Launching dynamic simulation exercises that address the biggest cyber threats of today, including ransomware attacks and malicious insiders, will help prepare every individual for potential crises in the future. These drills will contribute to building a machine-like response to an emergency, where each employee understands their part to play, leaving no one faltering and desperately trying to remember which multiple choice answer best suits the situation.

The data collected from these simulations can be used to determine the range of human capabilities across the company, which helps map out where the biggest exposures lie and where businesses need to invest in additional resource. Benchmarking against industry peers is also encouraged to build a picture of where the enterprise falls in relation to the wider sector.

Use every tool in the box

Every member of the workforce holds unique value and contributes to the wider enterprise’s security posture. By therefore delivering tailored solutions, businesses can ensure direct and agile security coverage that responds to the changing landscape. Long gone will be the days of static approaches and limited outcomes, and businesses will be in a far stronger position when they come face-to-face with new threats.

Having business-wide visibility of employee skill levels will also help provide appropriate support for each department as their needs will vary. Rather than IT being solely responsible, each department – including application development, communications, legal and HR – will have their own part to play. IT and security professionals can work closely with the board, in full confidence that everyone else is responding accordingly. Organisations can also use the data and activities to help with regulatory compliance, comparing against security frameworks like MITRE ATT&CK to identify further areas of focus and improvement. All of this will build a true picture of cyber resilience.

As the landscape continues to change, organisations will need to frequently revisit their strategy to keep their real-time overview of business security capabilities up to date. A strong, seamless cybersecurity approach requires long-term investment from all members of an enterprise but will deliver great value when it comes to business resilience against current and future attacks.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.