Article
Cyber Security

Cybersecurity leaders urged to confront inconvenient truths

By George Hopkin
March 07, 2023
undefined mins
Credit: Jonathan Kirn/Getty
Credit: Jonathan Kirn/Getty
A Gartner expert asks the industry: Why has a steady drumbeat of training and phishing simulations not produced effective cyberjudgement in our employees?

Cybersecurity training isn’t getting the support it desperately needs, says a senior IT risk research expert with Gartner, and “a dysfunctional relationship between the security team and the enterprise” won’t be fixed with a metaphorical sticking plaster.

Andrew Walls, Distinguished Vice President Analyst in Gartner Research and Advisory, says several straightforward issues must be addressed and points out that some of today’s problems are the results of decades of inaction.

“A small avalanche of data from various sources - including Gartner - confirms what many of us in the cybersecurity world have believed for years: security awareness doesn’t work,” says Walls. “I suspect that this will not come as a surprise to anyone who works in security as it is routine for employees to prioritise pretty much anything else over security when a conflict arises.”

Walls acknowledges that a continuous stream of training and phishing simulations has failed to develop practical cyber judgement in employees. However, he suggests that some obvious issues need to be addressed, and these topics may make security personnel feel slightly uncomfortable discussing them.

Cyberpeople are not trained to train

Cybersecurity professionals are often not trained in the design, development, product selection, or implementation of training programs, says Walls. Assigning the responsibility of selecting, developing, administering, and measuring a training program to the security team can lead to incompetence. Most people in cybersecurity are experts in computer systems, not people skills. Effective training design and administration require specialist skills, and assuming that such expertise is not necessary is both arrogant and unwise. Ignoring the importance of expertise in training can result in poor training outcomes and wasted investments.

Security teams remain alienated 

Despite decades of pushing for alignment with the business, the security team remains separate and alienated from the rest of the enterprise, and both sides are often comfortable with this arrangement. Walls says this is due to historical reasons, with security seeking to limit the enterprise's flexibility while the enterprise wants to be agile and responsive to the market. This fundamental tension leads to frustration and condescension on both sides, with security personnel using language that alienates employees. There is often little commitment to enabling employees to become competent in security, leading to high-risk behaviour. This social alienation cannot be overcome by training alone.

Policies perpetuate the problem

Policies and regulations often define the frequency of training interventions, such as annual training, rather than focusing on measurable competence in trainees. Such policies undervalue training as a solution to poor security behaviour. If behaviour is essential, policies should target measurement and improvement of behaviour without specifying how to achieve it. Policies that only require a certain number of training sessions per year perpetuate the problem.

Much more required from managers

Despite the importance of security, few managers take responsibility for the security behaviour of their teams, work processes, and infrastructure. The security team is often viewed as a convenient repository for such responsibilities, even though employee and management behaviour is nominally the responsibility of team managers in the business. This leads to conflicts, and employees often prioritise business performance over security metrics. Security awareness training is often ignored, with little attempt to internalise the messages contained in the training, particularly if they conflict with or inhibit personal performance targets.

Many recognise these issues with security awareness and are exploring ways to step past these cultural and social challenges to create a truly security-conscious enterprise, says Walls, whose research focuses on the CISO with security strategy, CISO skills/career development, management communications, employee behaviour management/education and ethical practices within the security function among his key areas of focus.

“Much of this work focuses on creating and maintaining an effective security culture throughout the enterprise,” he says. “This is a great idea and could be transformative for enterprises; however, culture change is not a plaster you can slap on top of a dysfunctional relationship between the security team and the enterprise.”

Share
Share
Author
George Hopkin

Featured Articles

Fortinet Remains a Cybersecurity Leader with AI Offerings

Leading cybersecurity company Fortinet unveils new FortiGate 200G Series to deliver cutting-edge performance and AI security services

AT&T Cybersecurity Rebranded as LevelBlue in Joint Venture

AT&T’s cybersecurity business has rebranded as LevelBlue, a new standalone venture aiming to simplify cybersecurity for organisations

World Password Day: 5 Best Practices To Protect Your Data

For World Password Day 2024, Cyber Magazine shares some of the most important strategies for businesses to protect their information from threat actors

Blackberry: The Rise of Gen AI in Cybersecurity Operations

Technology & AI

Keeper: Cutting-Edge Cybersecurity for Williams Racing

Cyber Security

Norton: Report Highlights Rising Trend of AI Dating Scams

Cyber Security