Christina Quaine met with her company's board of directors on a Thursday in mid-2020 for a regularly scheduled briefing. Quaine, CISO and senior vice president of technology operations at AvidXchange, also used that time to alert them to new COVID-related security risks, including an uptick in phishing attempts and other emerging vulnerabilities.
But, although the details of her presentation were new, her efforts to educate the board that oversees this B2B payments company with 1,400 employees are not. Quaine is committed to implementing a cybersecurity awareness program throughout the company, from the highest executive tier on down through the ranks.
"Training is important at various levels because we all have the responsibility to be secure," she said.
A global crisis like the COVID-19 pandemic only underscores that CISOs like Quaine have their work cut out for them. The "2020 State of Privacy and Security Awareness Report" from cybersecurity training firm MediaPRO and Osterman Research found that just 17% of employees said they are "very confident" they could identify a social engineering attack, and only 27% said they could identify at least two warning signs that malware has infected their computing platform. Meanwhile, 28% doubted they could identify a phishing email, and 20% couldn't articulate the security risks created from putting work information in personal cloud apps.
Similarly concerning figures come from ISACA, an international IT governance association, and CMMI Institute. Their most recent "Cybersecurity Culture Report," from late 2018, found only 5% of the more than 4,800 business and tech professionals polled believe their organization's cybersecurity culture is as advanced as it needs to be to protect it from internal and external threats. Meanwhile, 95% said gaps exist between the organization's desired and actual culture of cybersecurity.
One of the biggest reasons for the gap is a serious lack of cybersecurity awareness on the part of employees. The same ISACA study found that only 34% said employees have a solid understanding of their role in an organization's security culture.
"Security awareness used to be a thing or an event. We'd have a day and give them a promotional item, and in its day, it was innovative, and it worked. But T-shirts and posters and coffee mugs aren't going to cut it anymore," said Fred Rica, principal in KPMG's Advisory Services practice.
Top CISOs and leading-edge organizations got the memo, and as such, they're updating their cybersecurity awareness programsmoving away from stale and static projects that simply pass along rules and regulations to workers. Instead, they're adopting more informative approaches with interactive lessons and tailored -- even personalized -- programming to promote a culture where security permeates everyday tasks and becomes automatic.
"When you put those elements together, that's when you get a mature awareness program," Rica said.
A comprehensive cybersecurity awareness program in action
Quaine takes a comprehensive approach to security awareness and training. She has a mix of regularly scheduled events and ongoing initiatives and uses diverse approaches to reach different types of learners. Quaine's goal is to instill a security mindset throughout the entire organization.
Each October, her 15-member security team holds compliance training, reviewing the company's compliance policies and data regulations with staffers. She also runs regular email phishing campaigns to promote vigilance, sharing results with employees and using those results to identify and address weak areas. In addition, she works with HR and other functional leaders to distribute information on emerging security issues and the company's responses and policies to them -- employing various resources, such as online educational content, to keep workers up to date on risks and company-mandated security policies.
Quaine also developed educational content tailored to individual roles to better engage each employee and boost the company's overall security posture.
"You can't give everyone a security 2020 training class and then check the box. It has to be tailored to that individual, what they do, their job and how security fits into their role," she said.
Her security team, for example, works with developers to educate them on the latest vulnerabilities and secure coding best practices and to support them as they work to introduce security earlier and earlier in the development cycle -- a practice known as shift left.
Meanwhile, different content educates the company's payment specialists on how bad actors could use compromised emails to run scams or on how fraudsters use just enough information, a practiced script and crying babies as background noise on calls to elicit sympathy -- and cooperation -- from empathetic customer service representatives.
"The hackers are always looking to exploit, so you can't have a set-it-and-forget-it mentality. Training has to evolve with the threats," Quaine said.
Steps to modernize security training
That dynamic, responsive approach has become essential for a modern cybersecurity awareness program. And it's worth the investment, according to experts, as the costs of data breaches and other security incidents continue to rise. Ponemon Institute calculated in 2019 that the average cost of such an incident for a U.S. organization was $8.19 million. Meanwhile, the ISACA study mentioned above found 87% of respondents believe that establishing stronger internal cybersecurity cultures would increase their organizations' profitability or viability.
Although such findings create strong incentives for improving employee awareness, experts said the increased risks associated with the COVID-19 pandemic and the massive rush toward remote work should also spur all CISOs and their C-suite colleagues to build more comprehensive security education programs.
Leading authorities offered 10 ways to help do that.
1. Invest adequately.
According to the ISACA study, organizations with a gap between their current and desired cybersecurity state spend only 19% of their security budget on training and other tools. Those without such a gap spend 43% on training and awareness. Rolf von Roessing, partner and CEO at Forfa Consulting AG and ISACA board vice chairperson, said the takeaway from such findings is clear: "If you don't spend, you're falling behind."
Sounil YuCISO-in-residence, YL Ventures
2. Manage employee awareness as a security risk.
CISOs and other enterprise leaders are increasingly taking risk-based approaches to cybersecurity, identifying areas of the highest risk that, therefore, require the most stringent protections. They then create a hierarchy of security risks so they can prioritize their mitigation efforts and measure improvements in each area. Sounil Yu, CISO-in-residence at YL Ventures, said organizations should take the same approach to training in every cybersecurity awareness program. "If a person is clicking on every phishing email I send them, then I should see them as a big threat surface I need to patch," Yu said. "That's how I see the general process of fixing vulnerabilities. I want to close that attack surface, and one way to do that is to train, or harden, the user to make them secure against future attacks."
3. Measure for improvements.
Just as CISOs set targets to limit risk in other areas and then measure outcomes to determine whether their efforts were effective, Yu advises security leaders to do the same with their training and awareness initiatives: "Measure progress against specific learning objectives to make sure [employees are] no longer susceptible to risks."
4. Tailor training to specific roles and responsibilities.
Most employees have only a limited understanding of security and technology, as well as limited access to sensitive systems and data. So, there's no need to deliver complex, high-level lessons to those workers; much of the information would be irrelevant and possibly confusing. CISOs would do better to tailor security content to the roles and responsibilities of their different worker groups, making the lessons specific and more pertinent to each one. "You can't train everyone to the highest levels," Yu said. "Some roles are riskier than others. You want an individual with administrative access to have a higher level of security awareness. But, if someone doesn't have those [permissions], it's reasonable to expect lower levels of security awareness."
5. Make it personal.
In addition to tailoring lessons to individual workplace roles, security leaders said effective training and awareness initiatives educate employees on how they can protect themselves and their families outside of the office. Security experts said workers tend to learn more effectively when they feel they have a personal stake in the outcome. Plus, employees tend to want to protect their organizations if they feel their organizations are also looking out for them. "When you make people think you care about them, they tend to care more about the company, too. They feel their efforts are reciprocated," Rica said.
6. Enlist peers.
Many companies that have successfully boosted their employee security awareness have used ambassadors to promote the security message, said Lance Spitzner, senior instructor with SANS Institute, a security training organization. Security leaders enlist volunteers with an interest in security and train them to engage colleagues both through formal programs, such as lunch-and-learn events, and informal interactions. These ambassadors operate in similar ways to technical superusers who put their aptitude for certain business applications to work by tutoring others. Spitzner said ambassador initiatives can help CISOs quickly scale their cybersecurity awareness programs. And volunteers often know how to effectively promote security within an existing office culture. "Ambassadors understand how their peers best like to work," he said.
7. Keep it simple.
Security leaders, legal departments and compliance officers are often involved in drafting the security policies and regulations they expect employees to follow. But they often craft those policies in jargon-heavy technical and legal terms that most workers don't fully understand, Spitzner said. "We tend to make security training difficult, hard and painful," he added. "But the most effective ones make it simple." As an example, he pointed to a financial firm that created comics to promote its security message in an accessible way. Spitzner said he also advises CISOs to simplify policies by promoting a few key behaviors that are most critical, instead of addressing every possible threat scenario, no matter how unlikely.
8. Market the program.
Rica said the most innovative companies build effective cybersecurity awareness programs by enlisting marketing and communications professionals to create a brand for their training efforts, complete with mission statements and logos. Such efforts help people get excited about the work and feel like they're part of something important.
9. Make it engaging -- even fun.
Interactive training, hands-on learning and lessons incorporated into games have consistently proven to be some of the most effective ways to inform workers about security issues, have them adopt best practices and get them to retain critical information. Interactive programming includes phishing simulations, as well as more advanced practices, Rica said, noting that his firm worked with a client company to develop a game for workers that timed how quickly their passwords could be cracked. Working with the same client company, his firm also created a virtual lesson that showed employees just what happens when they click on a link containing malware.
10. Lead by example.
Organizations that want to instill security awareness throughout their ranks need leaders who not only support such efforts but also champion them, Rica said. One of the best ways to do that is to make sure those leaders -- whether they're executives or influential workers at any level -- are modeling the desired security practices. "People tend to mimic behaviors in people they admire, and so it's important to get leaders engaged in a way that promotes modeling behavior," he said, adding that employees are more motivated when they see the CEO adopt security best practices. "That resonates with people."