Cybersecurity training isn’t getting the support it desperately needs, says a senior IT risk research expert with Gartner, and “a dysfunctional relationship between the security team and the enterprise” won’t be fixed with a metaphorical sticking plaster.
Andrew Walls, Distinguished Vice President Analyst in Gartner Research and Advisory, says several straightforward issues must be addressed and points out that some of today’s problems are the results of decades of inaction.
“A small avalanche of data from various sources - including Gartner - confirms what many of us in the cybersecurity world have believed for years: security awareness doesn’t work,” says Walls. “I suspect that this will not come as a surprise to anyone who works in security as it is routine for employees to prioritise pretty much anything else over security when a conflict arises.”
Walls acknowledges that a continuous stream of training and phishing simulations has failed to develop practical cyber judgement in employees. However, he suggests that some obvious issues need to be addressed, and these topics may make security personnel feel slightly uncomfortable discussing them.
Cyberpeople are not trained to train
Cybersecurity professionals are often not trained in the design, development, product selection, or implementation of training programs, says Walls. Assigning the responsibility of selecting, developing, administering, and measuring a training program to the security team can lead to incompetence. Most people in cybersecurity are experts in computer systems, not people skills. Effective training design and administration require specialist skills, and assuming that such expertise is not necessary is both arrogant and unwise. Ignoring the importance of expertise in training can result in poor training outcomes and wasted investments.
Security teams remain alienated
Despite decades of pushing for alignment with the business, the security team remains separate and alienated from the rest of the enterprise, and both sides are often comfortable with this arrangement. Walls says this is due to historical reasons, with security seeking to limit the enterprise's flexibility while the enterprise wants to be agile and responsive to the market. This fundamental tension leads to frustration and condescension on both sides, with security personnel using language that alienates employees. There is often little commitment to enabling employees to become competent in security, leading to high-risk behaviour. This social alienation cannot be overcome by training alone.
Policies perpetuate the problem
Policies and regulations often define the frequency of training interventions, such as annual training, rather than focusing on measurable competence in trainees. Such policies undervalue training as a solution to poor security behaviour. If behaviour is essential, policies should target measurement and improvement of behaviour without specifying how to achieve it. Policies that only require a certain number of training sessions per year perpetuate the problem.
Much more required from managers
Despite the importance of security, few managers take responsibility for the security behaviour of their teams, work processes, and infrastructure. The security team is often viewed as a convenient repository for such responsibilities, even though employee and management behaviour is nominally the responsibility of team managers in the business. This leads to conflicts, and employees often prioritise business performance over security metrics. Security awareness training is often ignored, with little attempt to internalise the messages contained in the training, particularly if they conflict with or inhibit personal performance targets.
Many recognise these issues with security awareness and are exploring ways to step past these cultural and social challenges to create a truly security-conscious enterprise, says Walls, whose research focuses on the CISO with security strategy, CISO skills/career development, management communications, employee behaviour management/education and ethical practices within the security function among his key areas of focus.
“Much of this work focuses on creating and maintaining an effective security culture throughout the enterprise,” he says. “This is a great idea and could be transformative for enterprises; however, culture change is not a plaster you can slap on top of a dysfunctional relationship between the security team and the enterprise.”