The importance of security awareness and removing fear as a training motivation
Security Blog Post – Matthew Hatchard CSyP CITP, CISO Scutum Group
Although cyber risk and information security are increasingly a hot topic on the agenda of many a CIO, and rightly so, stakeholder engagement must be approached with the right strategy.
Fear of core system compromise or leakage of personal credentials is unlikely to transform inquisitive and phishing-prone workers into sceptical cybersecurity participants. Instead, it is essential to create a culture of risk appreciation – that’s not the same as enforcing the inheritant dread of opening an email that seems suspect, but instead illustrating with practical examples what to look out for and the combined benefits of a unified cyber-aware culture.
Information Security is about the fundamentals of collaboration and communication. It is the responsibility of senior management to communicate sound security behaviour, providing the tools and the training to make that possible throughout the entire organisation.
Takeaway: the problem with fear as a training motivation is that the people who fall for an excellent phishing attack will never know they were the victim of an attack.
Although the end-user is frequently associated with the highest risk on an I.T. heatmap, staff should always feel that issues can always be reported proactively, without fear. Every report strengthens our security – If security awareness training focuses too heavily on nightmare scenarios, staff may be reluctant to come forward with helpful information, increasing the organisation’s vulnerability.
If staff are engaged, empowered, and feel like part of a positive I.T. culture, they will be the best and the first line of defence – I.T. Security is more than a reactive process; focusing too heavily on technology investment and policy over awareness training will reduce the ROI of any cyber strategy.
At Scutum Group, we aim to balance the best of breed technology and skills alongside information security awareness. We must make internal security work so that it does not get in the way of business goals – if leadership aims to achieve its Information Security goals, positive stakeholder engagement at all levels is the number one priority.