Addressing security threats requires a
new direction from the mindset that compliance equals security. While compliance is a requirement for many
organizations, compliance does not equal security. I was recently talking to a
CISO who has divided his department into two teams – one focused on security
and the other focused on compliance. The security team deals with emerging
threats to the network, while the compliance team deals with regulations. It’s
an interesting strategy, and one that reflects how separate compliance and
security concerns have become.
Security awareness has traditionally
been associated with the compliance side of security, but to be truly
effective, it needs to focus on current threats and evolve with the threat
landscape.
Compliance is useful in that it forces
organizations to focus on security, but security departments should no longer
view compliance as anything more than what it is – the floor, not the ceiling.
Depending on your requirements, you may have to require awareness training to
be compliant. Organizations often achieve compliance through annual training or
assessments that have little positive impact on an organization, and can
sometimes create a negative perception of security awareness. Compliance-driven
training will only require that you prove people have completed the training,
it won’t require any proof that employees can apply information provided during
training. Checking off the security awareness box on your compliance checklist
is necessary and it may feel comforting, but it’s a false sense of security.
I understand that compliance is not
going away, and that for many CISOs addressing it consumes a large part of
their budget and time, so how do you break out of the compliance mindset? For
security awareness, start by presenting training material that addresses
relevant and emerging threats. Training employees on topics like password
complexity overloads them with information that does little to improve
security. Training on topics like this may be an easy way to fulfill
compliance, but training that empowers your employees by giving them knowledge
they can apply will truly improve your security posture. Regulations fail to
address security concerns because they are rigid and don’t adapt to new
tactics; however, users can be trained to be dynamic threat detectors.
Just as organizations have unique
needs; humans have different needs as well. Applying a one-size-fits-all
approach to training will meet compliance needs, but it won’t be as effective
as continuous training with multiple education modes; thus appealing to a
variety of learning styles. Your security awareness program needs to evolve
beyond annual training into a living, continuous program. Make security
awareness part of your organization’s culture by conducting training
periodically and varying the presentation of that training content to ensure
you resonate with everyone in the organization.
While compliance struggles to keep
pace with emerging threats, security awareness that succeeds in improving
employee behavior could keep you ahead of the curve. The adversaries are
dynamic, creative humans, having security-aware employees with the skills to
identify anomalous activity as a strategic objective will go much farther than
checking the box. It’s time companies
moved away from the “I have read and understand” model, and instead move
employees into a “I have read, watched, performed, been assessed, and can prove
that I understand” mindset. One size definitely does not fit all, and I one
question tests prove nothing.
No comments:
Post a Comment