The human side of infosec

By guest author Malcolm Portelli | Cybersecurity Leader | Champion of Human-Centric Infosec Culture

When we think about Information Security, the first things that probably come to mind are Firewalls or Policies, or even maybe Encryption, but we often overlook arguably the most important piece of the security puzzle.

Furthermore, companies are investing big money in the latest and greatest that security vendors have to offer in order to protect themselves from cyber attacks and data breaches, but are they adequately covering their weakest and strongest link - their people?

Security awareness and behavioural analytics

Security awareness and behavioural analytics are vital to the security and survival of any organisation. From teaching secure usage of Generative AI, to spotting the latest phishing attacks, improving the knowledge of the workforce is of paramount importance.

Why annual training fails

It may not be immediately apparent as to what constitutes a successful awareness and education program, but I would like to share my experience and knowledge here with the aim of assisting with its implementation and raising the overall information security knowledge bar where possible.

A holistic approach to security education

For most, developing a security awareness and education program likely involves the rollout of regular training modules to employees, hoping they will ingest some of the information that is thrown their way. Some companies only do this once a year via an hour-long training campaign that is unlikely to even spark a hint of an interest in the person watching or reading, treating the exercise as one of compliance instead of value. This methodology just doesn’t work anymore, although some can argue that it never really did.

Instead we need to look at security awareness with more of a holistic approach. It should not be something functioning in the background or in isolation. It must be embedded into the culture of the organisation and be embraced by all in the organisational hierarchy including senior management and, if applicable, the board of directors.

Making security awareness a business priority

One might ask “How do I do this when other aspects of the business like revenue are top priority?”. My answer would be to make security awareness a top priority also, by sharing the facts about what could happen to the other top priorities (revenue, reputation, regulatory licenses, etc.) if security is disregarded as an organisational priority. This can be called “Step 1” of the Information Security Awareness and Education Program Roadmap to Success, although I am aware that I need to think of a more catchy name.

Step 1 - planting the seed of infosec culture

In order to truly succeed in the implementation of an effective program, you need buy-in, acceptance and, most importantly, backing from the upper echelons of the organisation which will trickle down throughout the different teams. This means ensuring that executive management are well versed on the importance of security and the dangers associated with a lack of good security awareness and controls implementation. This will ensure that whatever you do as part of your information security awareness program does not meet the resistance required to kill it in its tracks.

Once you have that senior management ‘seal of approval’, you will need to promote the program to the rest of the organisation. The trick here is in the framing. Instead of just telling people that they need to sit down once a month and watch a bunch of videos in order to “be more secure”, roll content out strategically, and pad it with what I like to call “ tactical extras”, which we will cover in Step 2

Step 2 - diverge from the norm

Let’s be honest with one another, standard training in a subject that is of no interest to the person attending the training is boring and pointless. It’s just a fact - if there isn’t even a hint of interest then no information will be retained thereby negating the purpose of the training.

Therefore, there are three options here - make the training less boring, get the people interested in the subject, or my personal favourite, a bit of both. This is where the previously noted “tactical extras” come in. They are information security specific items that can spark interest in the person taking part while also making the training valuable and worthwhile for the organisation.

Some examples of tactical extras that you can use include:

• Creation of custom educational videos utilising voluntary participation by employees, thereby sparking interest with participants and viewers.
• Development and promotion of security-focused initiatives that have a gamification and competitive edge such as a Cybersecurity Treasure Hunt, which can be organised to take place in the digital or physical world.
• Implementation of a Quarterly Cybersecurity Champion award for individuals within the organisation that have a significant impact on the security posture of the organisation through various actions or inactions.

All of the above can be implemented with minimal budgetary requirements and, if implemented in collaboration with other teams and utilising maximum time efficiency, do not need to be resource intensive.

Step 3 - watch the culture blossom

The trick now is to keep up momentum. If all is implemented correctly, you will naturally see interest in information security increase throughout the organisation, except for the inevitable stragglers who will be the hardest to convince but will eventually come around once an initiative sparks their interest.

The satisfaction of seeing the program work and having individuals, who may have never shown an interest in the subject, approach you to ask a security specific question or report anomalous behaviour linked to the content of a custom video they had seen, or an initiative they took part in, will make all the work involved well worth it.

Step 4 - continuously innovate

Keeping things new and exciting is never easy but diversity is key. A simple way to potentially increase interest would be the introduction of more elaborate prizes for all initiatives so as to increase engagement via rewards.They will come for the prizes, but if implemented correctly, they will leave with knowledge of how to better protect themselves and the organisation.

It’s also important to remember that, although this is possible, it need not be a full time effort to maintain and manage the program. It is perfectly acceptable, for example, to only produce and release custom videos once a year, and initiatives on a quarterly basis. Success does not mean non-stop innovation. Consistency with a hint of diversity is key here.

In summary

This all may sound like a lot of work and I completely understand that a number of security leaders may shy away from these methods due their already excessive workload. I understand the fear and I truly sympathise, having been in this situation myself, but the beauty of this system is that it can be tailored to the time and resources at everyone’s disposal.

The key is to not do more than you can handle. If you can only find the time and money to implement a handful of the suggested initiatives, then even that is enough to start to drive your organisation’s security posture up. This drive will come from your people’s collective knowledge and awareness of the security dangers that they are faced with on a daily basis, and you would have been the one to teach them about it, whatever method you choose. Take pride in that, always.

Meet Malcolm Portelli

Malcolm is a cybersecurity leader and champion of human-centric infosec culture. 

He drives security awareness through creative, culture-embedded programs that empower people as the first line of defence, and is passionate about making cybersecurity engaging, accessible, and impactful across all levels of an organisation.

Connect