To mark cybersecurity awareness month we asked leading CISOs about how they are communicating cybersecurity risk to their colleagues both up and down the org chart
Just as a chain is only as strong as its weakest link, a company’s cybersecurity is only as strong as its weakest employee. As a result, implementing a well-designed cybersecurity awareness program is key, especially when many employees are working from home.
A 2020 report from cybersecurity awareness training company KnowB4 shows that 94% of executives from a wide range of industries think that a strong culture of cybersecurity is important to their organizations’ success.
“One of the main objectives in our security program is building human firewalls,” said Gautrain Management Agency IT Security Officer Henry Denner. “We have an elaborate awareness campaign that focuses on engraining a ‘security mentality’ amongst our staff.”
How to successfully execute an educational program on the subject is an open question, however. Effective communication is a challenge only compounded by a largely remote workforce, something that many organizations have now adopted for the long term.
Communicating with remote staff
One of the challenges of managing the working habits of a remote workforce is that CISOs must establish security practices that employees take just as seriously at home as they would in the office.
“We’ve focused our communications to cover what working from home really means,” says Simon Legg, CISO at UK insurance firm Hastings Direct. “We are in the process of deploying improved awareness materials that allow people to assess the security of their environment.”
Meanwhile, former Sasol CISO Itumeleng Makgati’s approach has been to hone her messaging to address specific themes designed to raise awareness about cybersecurity. These messages and one-page reminders are sent to all staff with a monthly theme.
These tips range from the importance of reporting unusual emails, to securely managing a home printer network, and working within a secure virtual environment to keep company data secure.
“With the lockdowns and pandemic, we have tailored our message specifically for remote working and connectivity away from the office,” she says. “We provide them [with] relevant messages for this point in time.”
Communicating with senior executives
A strong cybersecurity culture should extend from the top to the bottom of a business. As a result, CISOs also need to be able to communicate effectively with senior stakeholders.
Building those relationships, however, can be a challenge. A 2020 report by professional consultancy EY reports that 59% of CISOs think their relationships across the organization are at best neutral, mistrustful, or non-existent.
In many organizations, engaging with the cybersecurity team might not be the first item on the daily agenda for senior executives with a range of other priorities.
“It’s very rare, unfortunately, for someone that leads a business area to wake up in the morning and say, ‘You know what? I must set up a meeting with our CISO’”, quips Legg.
“[Hastings Direct] is quite progressive and I have the honor of being part of our strategy group,” he continues. “So, I get to speak with the senior leaders within our organization that is tasked with envisaging where we’re going and delivering against our strategy.”
In Legg’s view, it is essential that CISOs proactively engage with leaders from other parts of the business, especially in organizations that are not already facilitating effective communication on information security.
“There are some organizations where you need to realize that you’re not necessarily at the front of people’s minds,” he concludes. “Therefore, engagement should be at the top of the list.”