Cyber-Awareness- Strategic play to build an "Human-Centric" cybersecurity program
I always believe in approaching any initiative by applying a philosophical approach. Philosophy allows you to appreciate the rationale as to “why” and therefore, it helps build consensus.
I have dealt with awareness from a business differentiator point of view in an earlier article, and on other topics of cybersecurity such as program design, strategy design, policy governance, treating cyber as a business risk, risk quantification, and the importance of securing transformation initiatives. Here, we will talk about cybersecurity strategy from another viewpoint. Stay with me till the end , don't do a 'Dory' on me, let's go.
As a risk, cybersecurity is a business risk and i believe is more of a “human-centric” issue. So why are we fighting cyber risk predominantly with technology alone? Technology as a defense can go only so far. Throwing up a few firewalls or cordoning off into network zones or using debatable identity and access management controls will only solve the very obvious low-impact, tired old problems. These echnology-laden strategies are not going to be your answer. The answer lies in solving for human-centric vulnerabilities which hinge on human awareness, behavior, and motivations.
How easy it would be if technology used technology, and technology fixed itself? However it is humans who use technology, and they have inherent limitations. Humans resist change, in addition to being slow to adopt new ways of working. Let us look at the real human element from an “impacting” and “impacted” point of view.
Impacting starts with strategy and it encompasses almost every layer of an enterprise. In fact, “awareness strategy” in itself is an element of impacting. Decision makers and gatekeepers of the actual execution of security functions are the ones who have a role to play. The responsibility of these functions and players is enormous, and they have to have an awareness of the true impact of their role and responsibilities. They need to know the full weight of their role and the consequences of their actions. I am not referring to the templatized job descriptions they have. I am referring to the interplay of actions and consequences.
Before we explore some of those nuances, let us address the impacted: employees, customers, and investors are just a few of those. When you start designing a cybersecurity strategy, you need to take every one of those roles – in other words 'human centricity' – into account. The success of your cybersecurity function is solely dependent on adoption of the service/function of this impacted user base. Cybersecurity functions should also adapt to changing scenarios.
Let us unpack one angle of human-centric cybersecurity strategy – especially the awareness creation – a little bit. When I talk about awareness, I just don’t limit this to the end users, but I would want enterprises to account for impactors, impacted, and also those who actually execute these duties to keep everything secure – the gatekeepers and guardians of security. When we expand the scope of awareness campaigns, we uncover the real value of human engagement.
There is also an additional aspect of the differentiation between awareness and training. For a better appreciation of this nuance, awareness is offered to everyone about the context or purpose of a program or any initiative and its usage aspects, bearing in mind an implicit expectation and assumption of stakeholder engagement. Training, on the other hand, is offered to individuals to help them perform their duties better and is considered essential. Training is very targeted and customized for each person’s job functions.
The first thing I want to call attention to, when allocating budgets, is not to conflate the two. They both have different objectives and goals, and need due attention, depending on your context.
You need to tie your awareness campaign to a change in behavior and increased motivation. This in turn should result in a better risk profile and reduced breaches, whether unintentional or otherwise.
First, let us look at those impacted profiles once again and some examples of types of awareness that would fit the purpose. Please keep in mind that many of these might be topics of training too, where they will be covered in a lot greater detail for those people in specific roles, and you will need to deal with them accordingly.
As you can imagine, these are only a few of the stakeholders and some of the dimensions to consider from the perspective of creating an awareness program. The emphasis is on highlighting the fact that cybersecurity is more a human-centric strategy than something that can be solved just with technology.
Let us next look at few of the implications of an effective awareness program on the risk profile, and ways it can bring about a sustainable resilient cybersecurity function.
As you can see, having an engaged and aware stakeholder has a greater impact on improving the resilience of a cyber defense posture, in addition to preventing incidents. The flip side, of relying on a disconnected tactics-oriented cybersecurity function, strictly relying on a technology-laden approach with policies imposed on a reluctant workforce, would create distrusting and tentative customers and would not bode very well for the ultimate goals of cybersecurity function, which are prevention and resilience.
Now I urge the leaders crafting cybersecurity programs to devise appropriate tailored awareness programs and look at it holistically. This, most importantly, will reduce cyber risks which are actually business risks.
Please share your thoughts and share this article if you find it informative.
I will be sharing my points of view and experiences, over the coming days and weeks, on diverse aspects and domains of cybersecurity. Please note: "There is nothing net new in this world.” Every one of us builds on the knowledge and experiences we acquire, we synthesize and come up with what we believe will make our environment better. Most of views are based on my experiences and acquired knowledge.