COMMENTARY: October was Cybersecurity Awareness Month, and the Cybersecurity and Infrastructure Security Agency (CISA) offered a variety of resources and events to help boost cybersecurity knowledge and best practices. A key figure in ensuring organizations follow those best practices is the CISO — an executive-level champion of good cyber hygiene.
The CISO serves as a bridge between the internal and external IT and security teams and executive leadership. The managers in the C-suite often do not fully comprehend the need to protect their data and systems against ongoing and constantly evolving threats.
Leverage Awareness to Drive Action
CISOs should be having ongoing conversations with a variety of stakeholders, including the technical staff (like engineers and developers), senior managers in engineering, legal, finance, and other areas, and with the board of directors to keep everyone up to date on the latest threats and best practices in protecting against them.
Many smaller firms do not have a dedicated CISO or equivalent. In some cases, MSPs and MSSPs are taking on the virtual CISO (vCISO) role to help these businesses develop cybersecurity strategies, manage risks, oversee training, and handle compliance issues.
Whether the role is in-house or outsourced, it’s always good to take the opportunity to remind staff of the threat landscape, reinforce best practices, and implement ongoing training and other programs that can improve security. A few strategies could include:
Develop memorable, even enjoyable, activities to reinforce cybersecurity best practices. You can utilize gamification or raffles/giveaways to encourage participation and provide incentives for learning the material. One example is to host a Capture the Flag (CTF) challenge. There are many open-source CTF challenges that your organization can leverage. CISOs could also launch phishing simulations, schedule cyberattack response simulation activities to drive the message home, or host an “incident response tabletop” that places executives in the hot seat to lead the “incident.” Additionally, online games can help employees recognize phishing attacks or spoofed emails/websites.
Emphasize personal stories and consequences. Employees remain the most vulnerable part of the network, so training and informational materials should be planned that emphasize the human element of cyberattacks and how employees’ personal online lives could be leveraged against them in extortion or ransomware attacks.
Schedule guest speakers to explain different aspects of cybersecurity. CISOs could partner with MSPs, MSSPs, or other providers to lead special seminars or luncheon events. You could even invite local law enforcement or other experts.
Incorporate information on new artificial intelligence (AI) threats into your training and awareness campaigns. Most employees are likely familiar with the rapid rise of AI technology and may even use it at work or in their personal lives. They may not, however, be aware of how the technology is being used in cybercrime. Explain how AI can improve the effectiveness of phishing and other types of malicious emails and provide guidance on recognizing AI-based attacks.
Take a year-round approach to new programs and initiatives. CISOs and vCISOs should map out a 12-month program with additional training and activities to ensure best practices continue to be followed all year. Next year, you can review your accomplishments and see if you met your goals.
Cybersecurity needs to be a priority all year. CISOs and vCISOs can encourage best practices, launch new security initiatives, and plan additional training/awareness activities to help keep employees up to speed on current threats and strategies.
MSSP Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels.Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
