Traditionally, cybersecurity has been seen as an IT issue, but individuals at every level of an organization have a role in implementing the security architecture. The best way to foster the broad support needed for a successful Information Security Program is to create a corporate culture where awareness and compliance are a part of daily activities. Not everyone has the same role, of course. There are three main groups that need training tailored to their responsibilities.
Both New York’s Cybersecurity Requirements for Financial Services Companies and the NAIC Model Law require that executive leadership takes ultimate responsibility for their company’s Information Security Program. While a board of directors (or similar authority) may designate an individual or group with the specialist skills needed to oversee the day-to-day activities of its ISP, they still need to understand and document the following areas:
- Overall status of the Information Security Program (ISP)
- The entity’s current compliance status
- Results of the most recent risk assessment
- Current risk management and control decisions and how they were made
- Risk assessments results and mitigation efforts for third-party vendors
- Results of penetration testing and other simulation exercises
- Any actual or suspected cybersecurity events/violations and the organization’s response to these events
- Any pending recommendations for further improving the effectiveness of the ISP
Information Security Personnel
Responsibility for the development and implementation of security architecture often lies with personnel with specialist skills and knowledge. Key roles include the Chief Information Security Officer (CISO) and the Incident Response Team (IRT). It’s important to remember that cyber threats and the resources to defend against them evolve constantly. Companies must allocate both time and financial resources to ensure that these experts maintain awareness of the latest developments.
In addition to “traditional” training, don’t overlook two important opportunities to expand your team’s expertise. The first is networking. When it comes to cybersecurity, it’s always best to learn from someone else’s mistakes. Encourage and support the individuals responsible for your security architecture to connect with peers and mentors in their fields to exchange information and share experiences.
The second is drills. These should include both planned tabletop exercises and unannounced simulations. A number of government agencies and commercial vendors offer ready-to-use scenarios. Companies can also hire a “red team” to test their defenses. After all, it’s easy to become complacent about your level of preparedness — especially if you haven’t been the target of an attack recently.
Ask some IT professionals, and they’ll tell you that information systems would be perfectly stable and absolutely secure … if not for those pesky users! That’s an exaggeration, of course; but conventional wisdom sees employees more as a risk than an asset. Having a workforce that understands the risks of the cyber landscape and knows how to respond effectively to them provides an additional layer of protection for critical systems. Training makes the difference.
All training isn’t created equal, however. Poor-quality resources can do more harm than good by desensitizing employees to the importance of data security/privacy. Be realistic about the impact of threats for the same reason. Above all, remember that education programs work best when they use positive reinforcement. If employees fear being ridiculed or punished, they’re more likely to hide evidence of a breach – allowing threats to go undetected for a longer period and thus do more damage.
Security awareness training should be part of onboarding all new employees. Begin by explaining how job responsibilities determine their level of access and build from there. Also, don’t assume that “experienced” employees will know what to do; every company’s security needs and systems differ. For ongoing training, opt for smaller sessions that focus on one or two topics, spread throughout the year. This structure allows for repetition until employees absorb information and updating content to reflect evolving threats.
Consistent, quality training — customized for the responsibilities of employees at every level of an organization — creates a culture of security awareness and opens a dialogue about the best ways to secure the information that keeps your business in business and fosters trust with customers and strategic partners.
This is the second in a series of articles discussing some of the most commonly overlooked aspects of security architecture and cybersecurity compliance.