Chief information security officers (CISOs) have the difficult job of overseeing an organization’s entire cybersecurity posture, but the top CISOs are creating long lasting behavior change in security culture. These leaders are doing something a little different to achieve long-term cybersecurity improvements. Here are five things top CISOs do to impact human behavior in their organizations:
1. Go Beyond Security Training and Vulnerability Scanning Alone
There are fundamental practices most CISOs incorporate into their company’s security program. Sure, you can expect to run the initiative—maybe to even hire a security awareness program owner to manage a security awareness training program for employees. You can also expect to run quarterly vulnerability scans and an annual penetration test.
But the most successful CISOs know that these practices alone aren’t enough. You'll move beyond the standard expectations of the role and dive deeper into understanding their employees’ risk behaviors. After all, according to the 2021 Verizon Data Breach Investigation Report, human error is the cause of over 90% of data breaches and is one of the fastest-growing causes of breaches. A self-aware CISO will realize there are ways to empower users to prevent these breaches from ever happening. You’ll also diligently measure their program’s success and modify it as opportunities for improvement arise.
2. Don’t Use Fear Tactics, Make Learning Fun
Cybersecurity professionals sometimes struggle with making security awareness and training “fun.” Since cyberattacks and breaches are serious, it can feel inappropriate to make light of this subject matter. However, fear tactics are seldom successful for long-term security results. No one likes being shamed for what they do wrong. Chastising employees for making mistakes while learning about cybersecurity can ultimately deter them from caring about your company’s protection—the complete opposite of your intent.
Luckily, there are ways to make learning about cybersecurity interactive and engaging, such as incorporating experiential learning into your awareness training. Professional security awareness games, active online escape rooms, and other gamified learning experiences help your teams retain what they learned and motivate human behavior change.
You can only reinforce these successes if you’re tracking your security initiative’s progress to understand where your team is excelling and where they need additional support. For instance, if your data shows that only half of a department is complying with your new mandatory multi-factor authentication policy, you can use this knowledge to investigate. You may dig deeper and learn why the policy isn’t enforced and add training that underscores its importance, or change your approach to mitigating security risks if that one tactic isn’t widely accepted.
4. Target Messaging to Individual Leaders
Different teams need different security awareness education. A social engineer may target your finance department much differently than they would your marketing team, for example. While it’s your job to curate your training programs that are appropriate to the audience, you need the help of department leaders to gain their teams’ buy-in for your initiatives. They are, after all, the ones who will relay your objectives to their teams and remind their employees to complete their training on time.
That’s why it’s so important for CISOs to show managers why you developed the program for their department specifically and to equip these leaders with the tools they need to successfully support their team. Remember, leadership and employees are busy with their own workloads; your security initiative is just another assignment for them. You can effectively communicate to management about your program by framing the program around things they actually care about, not your personal IT goals alone. Your program’s success is determined largely by your ability to communicate to leaders what’s in it for them in non-technical language to earn their support.
5. Make Clear Connections Between Security Plans and Business Objectives
In addition to knowing how to frame your security initiative to department heads to earn their buy-in, you need to know how to talk to the C-suite about your program’s value. The executives want to see the ROI of your security efforts in metrics that they care about, like business continuation and how your work directly relates to operations.