CIO Straight Talk - Issue 10 - 12

It's imperative to make cybersecurity integral
to all business processes. But for cybersecurity
to be truly embedded in the daily life of the
organization and in all activities, cybersecurity
education has to touch all employees.

RAISIng eMpLOYeeS'
CYBeR pROFICIenCY
"Our top impacted areas are people, people,
people," Reyes states flatly. "The top challenge
comes down to human performance," Sheikh
agrees. "The user community is the weakest
link. Most breaches come from phishing. Once
access is provided, it's just a matter of time. I
can keep spending thousands on tools, but how
do you train?" Joe Kirk puts it another way: "All
the technology in the world won't prevent a user
from clicking on the wrong link."
So what's to be done about the people problem?
Like many companies, Entergy has implemented
fake phishing programs, followed by awareness
training "for anyone who clicks on it," Sheikh
says. Other members of the panel report similar
programs in their organizations. At Vistra
Energy, different types of phishing campaigns
are targeted periodically at 15 different types
of groups-executives, privileged access users,
compliance officers, admins, etc.
At Cisco, employees receive fake phishing
campaigns every quarter. They can go to an
internal web site (the "phish pond") to learn
more about phishing and validate any test phish.
This exercise has reduced clicks on fake phish
by two-thirds, says Martino. Those employees
that do click get immediate training and a month
later, they receive another fake phish.
Another common practice involves on-going
training programs and annual certification for all
employees. At ADP, for example, short animated
videos and interactive gamification (e.g., quizzes,
video games) work well to engage employees

12

and help with content retention, Cloutier says. Key
to such training is measurement, he adds, including
how many people take it, how much time it takes
them, and the nature of their feedback.
"You have to "grow"
[cybersecurity talent]
within your company
so they can understand
how business processes
are managed within
technology systems."
Zeeshan Sheikh
VP & CIO
Entergy Corporation

In addition to broad-based training programs,
the CISOs on our panel have developed
customized training to raise security awareness
of employees in specific type of jobs. At Cisco,
the "security ninja" program is targeted at
software developers building products and
services for Cisco's customers. They work their
way up various levels until they get the coveted
black belt. For business-related roles, special
training programs cover topics such as designing
secure business processes, regulatory issues, and
the employees' responsibilities as data stewards.
At DNB, the security coordinators mentioned
above customize a general training program to
fit their specific business area.
"When I talk to employees," says Martino, "I
communicate to them that the internet is great
but it's like being in the middle of a large city
rather than a small town's main street." Just
making them aware of the importance of backing
up their personal files is important, he says, as
18% of people never back them up and 39% only
do so when reminded.
All employees are foot soldiers in the battle with
hackers, but a team of security professionals
helps the CISO lead the charge. The trouble
is that it's hard to find people with the right
experience and expertise to fill the increasing
number of open cybersecurity positions.

Spam accounts for 65% of total email
volume; 8-10% percent global spam could
be classified as malicious.
CIO Straight Talk - Issue 10

Table of Contents for the Digital Edition of CIO Straight Talk - Issue 10
