As a CISO, I’m focused on the security of Cisco’s entire enterprise, not just our IT systems and infrastructure or the data our customers entrust in us. Because Cisco is a leading security technology provider, my team and I are fortunate to have the best tools to help prevent, detect and remediate cyber-attacks. But even with all of the great technology available to us, I never forget that our number one asset in fighting cyber-threat is our employees.
People are the most valuable and the most challenging part of the cybersecurity equation. A recent Pomemon Institute study found that sixty-four percent of the attacks covered in their survey traced back to the negligent behavior of a staff member or contingent worker. It’s not that employees have malicious intent; it’s that most are far too busy, unaware, or get tricked by adversaries trying to find a way in.
Having an informed workforce that knows how and is actively involved in keeping the physical and extended virtual workplace as safe as possible can reduce risk due to human error. To that end, set a goal to move employees through three phases of security engagement:
1. Training and Education
At Cisco, we’re constantly raising employee awareness and knowledge about cyber threats. Employees learn about cyber risks¾how to spot and report them. For instance, we regularly use anti-phishing training and testing so that everyone can learn how to minimize risks from email and malware.
This year marks the 11th year of Cisco SecCon, our annual employee security education conference. The conference continually evolves to address the current threat landscape; this year focuses on building and securing internal enterprise application and cloud delivered services for our customers and hardware/software development best practices focused on the latest hacks/attacks and security innovations. Enterprise Business Operations, Hacks and Attacks, the Business of Security, Product Security and Innovations.
This month, we’re celebrating Cybersecurity Awareness Month and the one-year anniversary of Keep Cisco Safe, a company-wide campaign to drive pervasive security into our culture and motivate the entire Cisco population into action. Using some out-of-the-box tools and techniques (like gamification, provocative messaging, and a family of persistent digital monsters that pop up in unexpected places), we’re driving awareness of data security threats in memorable ways. Our dozens of Keep Cisco Safe Ambassadors, enlisted from across the company, help keep our global workforce on its security game. We’re committed to preserving a culture where experimentation and creativity are the norm, and it’s safe to make a mistake¾as long as we learn from it and stay safe along the way.
Ultimately, all employees need to take ownership of security within the domain they can control. Practicing good cyber-hygiene and changing risky behaviors cannot be optional, it must be mandatory. At Cisco, we have employees annually review and sign a code of business conduct that includes cybersecurity and data protection practices. That way, they’re committing to a standard of accountability that defines their responsibilities to Cisco and to our customers. Employees understand this is serious business with direct implications tied to their job role.
It’s important that this approach to accountability is done in the right spirit¾imposing rules always has a bit of a different feel than people internalizing the responsibility. We emphasize that these policies aren’t about restricting employees from being creative in their own work and meeting business goals; it’s about learning where pitfalls lie and where lines need to be drawn.
At Cisco Security Primes/Advocates are roles we’ve formalized in IT and development teams to be champions of security from within the function or team. We teach them leading security practices, cultivate the security community and celebrate their successes.
The ideal state is to get employees to the point of being proactive security advocates. There are no better role models among the employee population than peers who champion the cause. Not everyone will get to this level, but if you can, find the people who are naturally inspired about security and give them all of the support and tools they need to live out their passion for the good of the whole. Perhaps you have someone on your team who can devise customized practices that fit your group’s processes and style; or someone who will make time to help other team members with specific questions or needs around securing their practices. And¾if it’s ever possible, temporarily rotate an IT Security team member into a functional business group; that individual will benefit from learning about how the business works, and in turn, he or she will foster more security engagement with that functional group than any leadership information push could ever do.
With the right knowledge, understanding and encouragement, employees can and will be the best line of cyber defense you’ll ever have. During Cybersecurity Awareness Month, make some time to pause and think about how you can teach, engage and inspire your team to be the cyber champions you need to keep your organization safe.