Cybersecurity leaders urged to confront inconvenient truths

A Gartner expert asks the industry: Why has a steady drumbeat of training and phishing simulations not produced effective cyberjudgement in our employees?

Cybersecurity training isn’t getting the support it desperately needs, says a senior IT risk research expert with Gartner, and “a dysfunctional relationship between the security team and the enterprise” won’t be fixed with a metaphorical sticking plaster.

Andrew Walls, Distinguished Vice President Analyst in Gartner Research and Advisory, says several straightforward issues must be addressed and points out that some of today’s problems are the results of decades of inaction.

“A small avalanche of data from various sources - including Gartner - confirms what many of us in the cybersecurity world have believed for years: security awareness doesn’t work,” says Walls. “I suspect that this will not come as a surprise to anyone who works in security as it is routine for employees to prioritise pretty much anything else over security when a conflict arises.”

Walls acknowledges that a continuous stream of training and phishing simulations has failed to develop practical cyber judgement in employees. However, he suggests that some obvious issues need to be addressed, and these topics may make security personnel feel slightly uncomfortable discussing them.

Cyberpeople are not trained to train

Cybersecurity professionals are often not trained in the design, development, product selection, or implementation of training programs, says Walls. Assigning the responsibility of selecting, developing, administering, and measuring a training program to the security team can lead to incompetence. Most people in cybersecurity are experts in computer systems, not people skills. Effective training design and administration require specialist skills, and assuming that such expertise is not necessary is both arrogant and unwise. Ignoring the importance of expertise in training can result in poor training outcomes and wasted investments.

Security teams remain alienated 

Despite decades of pushing for alignment with the business, the security team remains separate and alienated from the rest of the enterprise, and both sides are often comfortable with this arrangement. Walls says this is due to historical reasons, with security seeking to limit the enterprise's flexibility while the enterprise wants to be agile and responsive to the market. This fundamental tension leads to frustration and condescension on both sides, with security personnel using language that alienates employees. There is often little commitment to enabling employees to become competent in security, leading to high-risk behaviour. This social alienation cannot be overcome by training alone.

Policies perpetuate the problem

Policies and regulations often define the frequency of training interventions, such as annual training, rather than focusing on measurable competence in trainees. Such policies undervalue training as a solution to poor security behaviour. If behaviour is essential, policies should target measurement and improvement of behaviour without specifying how to achieve it. Policies that only require a certain number of training sessions per year perpetuate the problem.

Much more required from managers

Despite the importance of security, few managers take responsibility for the security behaviour of their teams, work processes, and infrastructure. The security team is often viewed as a convenient repository for such responsibilities, even though employee and management behaviour is nominally the responsibility of team managers in the business. This leads to conflicts, and employees often prioritise business performance over security metrics. Security awareness training is often ignored, with little attempt to internalise the messages contained in the training, particularly if they conflict with or inhibit personal performance targets.

Many recognise these issues with security awareness and are exploring ways to step past these cultural and social challenges to create a truly security-conscious enterprise, says Walls, whose research focuses on the CISO with security strategy, CISO skills/career development, management communications, employee behaviour management/education and ethical practices within the security function among his key areas of focus.

“Much of this work focuses on creating and maintaining an effective security culture throughout the enterprise,” he says. “This is a great idea and could be transformative for enterprises; however, culture change is not a plaster you can slap on top of a dysfunctional relationship between the security team and the enterprise.”

Share
Share

Featured Articles

AI-Based Phishing Scams Are On The Rise This Valentine’s Day

Research from Egress Threat Intelligence, Avast, Cequence Security & KnowBe4 outlines how AI is being used in dating app phishing scams on Valentine’s Day

Speaker Lineup Announced for Tech Show London 2024

See Below for a Newly Announced Speaker List for Tech Show London 2024, as it Promises to Showcase Technology Trends Will Impact Various Sectors

Darktrace predicts AI deepfakes and cloud vulnerabilities

Darktrace reveals its top predictions for AI and cybersecurity developments in 2024, which include AI worms, hallucinations and cloud concerns

Secure 2024: AI’s impact on cybersecurity with Integrity360

Technology & AI

IT and OT security with Ilan Barda, CEO of Radiflow

Cyber Security

QR ‘Quishing’ scams: Do you know the risks?

Application Security