Employee Training. PHOTO: Cybercrime Magazine.

CISOs Say Security Awareness Training For Employees Is Top Priority

Chief information security officers on phishing simulation and more

Steve Morgan, Editor-in-Chief

Sausalito, Calif. – Aug. 1, 2020

Training employees how to recognize and defend against cyberattacks has long been the most underspent sector of the cybersecurity industry. But we’re in the midst of a sea change that is predicted to result in a $10 billion market by 2027.

Progressive CISOs at the largest companies in the U.S. are pushing hard for more employee security awareness training and phishing simulation programs. Nine of them opened up to Cybercrime Magazine on humans being the weak link in the cyber defense chain, and the need to build a security-aware culture.

“Security leaders, in general, know that the human side of things is critical to consider when it comes to the overall security posture of their company,” says Perry Carpenter, chief evangelist and strategy officer at KnowBe4.

But shockingly, not every Fortune 500 and Global 2000 company has a full-time security awareness training manager, according to Carpenter. For some organizatons, the responsibilities fall on the shoulders of security personnel who are burdened with other tasks. While we’re not yet in an ideal place, Carpenter says that large enterprises are definitely moving in the right direction.

Cybercrime Radio: KnowBe4’s Perry Carpenter on large enterprise CISOs

One negligent employee can make an organization have a very bad day

9 CISOs On Training Employees

Cybercrime Magazine sat down separately with each one of these CISOs for a candid discussion on cybersecurity, including security awareness training for employees.

Adeel Saeed, former CISO at State Street: “Security training is the key foundation of having a workforce that is well aware and well informed. You educate people, and then you test them … because people will make mistakes and one mistake can cost a company a lot of harm.”

Alissa “Dr Jay” Abdullah, deputy CISO at Mastercard: “We’re at roughly 14,000 employees right now … and that’s 14,000 different ways an adversary can get into Mastercard. You have to educate every single one of those employees (on cybersecurity) and make them feel like there’s something in it for them.”

Kathy Hughes, CISO at Northwell Health: “Protecting patient data is our number one priority. I often ask the question when I give talks and presentations — how many people do you think are on my security team? And you get answers that are 5, 10, 20, but no, it’s 67,000 (every single one of their employees).”

Keith O’Sullivan, CISO at Standard Industries: “People are going to click on something. Do they alert the right people? Do they bring it to information security? When they click on a (phishing) test, are they saying “you got me, good one” or are they running and hiding to make sure that you don’t take away their access?”

Cybercrime TV: CISOs On Security Awareness Training for Employees

One negligent employee can make an organization have a very bad day

Bret Arsenault, CISO at Microsoft: “We definitely see an improvement over time with awareness education. Instead of getting people half as likely to click on something, let’s get half as much email to their system that they shouldn’t see in the first place. If it does get there, make sure people have the ability not to do anything — and then more importantly report it. If they report it, we can immediately eradicate it for not just Microsoft employees but for every Office user in the world and take it out before they ever see it.”

Debbie Wheeler, CISO at Delta Airlines: “We’ve had the FBI come in and make everyone a hacker for the day — to teach them (our team) how to conduct phishing campaigns and what the value and the benefit is for the threat actors. It gives them a different perspective and it helps them understand not just how to protect themselves, but how to protect the company, and it gives them a view into the mindset of why some of the threat actors do what they do.”

Shamla Naidoo, former CISO at IBM: “You have to teach the skills in the context of the job. You should know and understand where the particular cybersecurity obstacles are going to be, where the potential opportunities for fraud and crime and other kinds of digital challenges are going to be, and you have to then learn how to overcome that in your role.”

Laura Deaner, CISO at S&P Global: “Every business is going to have their own risk appetite. So what are you willing to take risks with? If you don’t have an appetite for risks for incidents on your most prized possessions — your material non-public information or even your people — then let’s do everything we can to invest into the controls there.”

Elizabeth Joyce, CISO at Hewlett Packard Enterprise: “I think it (security awareness training) has become one of the really important characteristics for any security leader these days because it’s never just the job of the cyber team. Everybody has a role to play in security.”

If there’s one overarching theme amongst these large enterprise CISOs, it’s that humans are the weak spot, but it doesn’t have to be that way.

Although CISOs are amping up their employee training efforts, the attacks on their people haven’t slowed down. 70 to 90 percent of all malicious breaches are due to social engineering and phishing attacks, according to Roger Grimes, data-driven defense evangelist at KnowBe4.

To optimize their training programs, CISOs and security leaders are wise to reflect on Carpenter’s three realities of security awareness:

1. Just because they’re aware doesn’t mean that they care

2. If we work against human nature we will fail every single time

3. What our employees do is way more important than what they know

Oh, and if you don’t have a full-time security awareness training manager, then you might want to hire one!

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.

Sponsored by KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering.

Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4’s free Ransomware Simulator “RanSim” gives you a quick look at the effectiveness of your existing network protection.

RanSim will simulate 18 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.