A Culture of Security Consciousness
While cybersecurity training tends to center on technology upskilling, creating that culture of security consciousness is actually of equal importance – we know this because 95% of breaches track back to human error – and developing the mentorship programs that lead to that culture must be managed in a very deterministic process.
Organizations will never achieve a goal of cultural consciousness by scheduling security awareness training twice a year.
Continual Education and Upskilling
The “science” of cybersecurity is complex and the challenges of absorbing new layers of technology into our existing ecosystem on a continual basis argue strongly in favor of continual education and upskilling – new network, container, cloud, edge computing, DevSecOps, and remote engineering skills are essential just to maintain pace with current growth initiatives let alone the pressures of the fourth industrial revolution and digital transformation.
Falling behind is not an option.
The Art of Resilience
But, equally important and complex is the human cultural influence, the art, on organizational resilience in cybersecurity. Attending classes on AWS Containers in order to certify is very different from attending classes on AWS Containers because there is a passion to learn – a passion to get better, to contribute to an improved overall organizational security posture and the pride a learner can take away from their participation.
In today’s DIY training and education model, we work from a course catalog and hope that our students are sufficiently self-motivated to absorb the new skills and apply them on our behalf. If we collect metrics around phishing, for example, it will tell us something superficial about our security culture. It’ll tell us what people are doing, not why they’re doing it.
Understanding the “why” is absolutely crucial because it will become our point of influence to change behavior and begin to create that culture of consciousness that we seek. The “why” helps in understanding underlying assumptions and determining what we can do to address gaps between what the security team needs to accomplish and what people are actually doing.
Understanding the organizational culture, mission and values will inform a change model and establish a baseline for progress toward cybersecurity cultural objectives, against which metrics can be applied to assure that the more challenging program goals are effective and being achieved.
For more on how we plan to do that, stay tuned and register for early access.
Managing Director, CyberEd
King, an experienced cybersecurity professional, has served in senior leadership roles in technology development for the past 20 years. He has founded nine startups, including Endymion Systems and seeCommerce. He has held leadership roles in marketing and product development, operating as CEO, CTO and CISO for several startups, including Netswitch Technology Management. He also served as CIO for Memorex and was the co-founder of the Cambridge Systems Group.