David Shearer, CISSP, Chief Executive Officer (ISC)2
For several years now, the growing desire to improve users’ cybersecurity awareness has motivated a whole industry and a plethora of activity. Sometimes highly creative, often humorous, and in many cases a reasonably significant investment, awareness training isn’t always known for being effective. It’s common within the profession to hear reports of the programmes that fail to meet objectives, which contributes to continued frustration with user behaviour. Should we conclude that user awareness is a fool’s dream and continue to try to find technical solutions to the problem? Have we started with the wrong requirements by assuming this is a technical problem?
The (ISC)2 Global Information Security Workforce Study, that has been conducted for over ten years, reveals a declining emphasis on the priority given to awareness training over the past three surveys (2011 – 39 percent, 2013 – 38 percent, and 2015 – 32 percent). Further, there is a worrying degradation in the level of concern associated with employees’ mobile devices. It’s not that the concern isn’t there; but other concerns are rising up the priority list.
The study also reveals that phishing was the top tactic detected on the front lines, with 54 percent of the 13,930 professionals responding to the study noting that attack method. This is way ahead of the 36 percent who noted malware was their top priority. Some of the evolving phishing emails are getting so sophisticated that even security professionals can be exploited. Clearly, users must be more aware of phishing attacks and the impact they can have on even a well-planned and funded cybersecurity program.
This is not lost on the cybersecurity professionals working to tackle the problem. We are however, acknowledged to be understaffed in the face of a skills shortage. We face an ever-growing attack surface of connected organisations, business processes and devices in a world where new services and applications are spun up faster than an organisation’s capacity for oversight. It’s easy to imagine how a security awareness programme can become the poor cousin to other, seemingly more pressing concerns.
It should also be acknowledged that awareness is not traditionally something to which we have a natural affinity. As cybersecurity professionals, we are likely to be more comfortable with the technical aspects of awareness training; however, there are human design and engineering dynamics that must be considered as well. Complacency may also be a factor. Companies may well believe that they have already taken care of the need with online training delivered last year. Employees will of course struggle to pay attention or even take the time to access a tired PowerPoint presentation that’s long overdue for an update. Making security awareness training mandatory does not guarantee that it will be effective.
I am looking forward to the opportunity to explore these challenges during our keynote panel session at Infosecurity Europe: Securing the Connected Human. Examining effective strategies to mitigate human risk and modifying behaviour through awareness are central themes for the session. We’ve assembled a panel of experts with diverse experience and strong opinions on these matters.
There is no question that poorly designed cybersecurity awareness programmes are a waste of time and money; however, this does not mean we should abandon the effort. The real need may be to consider concepts that we’re already familiar with, such as: User Experience and Customer Experience. Toward this end, the panel promises to be a very engaging session.
(ISC)² is the largest notprofit membership body of certified cyber, information, software and infrastructure security professionals worldwide, with over 114,000 members. www.isc2.org
Mr. Shearer has more than 30 years of business experience including as (ISC)² chief executive officer and chief operating officer, associate chief information officer for International Technology Services at the U.S. Department of Agriculture, the deputy chief information officer at the U.S. Department of the Interior, and the executive for architecture, engineering and technical services at the U.S. Patent and Trademark Office.